Skip to main content

Syslog - SonicWall Firewall

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: SonicWall
SUMMARY: Configuration Guide for SonicWall firewalls using SonicOS

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor

SonicWall

Supported Model Name/Number

SonicWall Firewall

Supported Software Version(s)

SonicOS 6.5.x, SonicOS 7.x

Collection Method

Syslog

Provider Name

Syslog-SonicWall

Additional Information

SonicOS 6.5 Logs and Reporting

SonicOS 7.0.1 Syslog

SonicOS 7.0.1 Log Events Reference Guide

 

Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.

Please note the link in the Vendor Links above to the latest documentation at the time of this writing.

Device Configuration Checklist

  1. Creating an address object
    1. Go to Network > Address Objects
    2. Click Add
    3. Enter a friendly name for the object. Example: Huntress-SIEM (this will be used later)
    4. Set Zone Assignment to LAN
    5. Set Type to Host
    6. Enter the Internal IP address of the Huntress agent configured to listen for syslog
    7. Click Add
  2. Add a Syslog Server
    1. Go to Device > Log > Syslog page.
    2. Click Syslog Servers tab.
    3. Click Add. The Add Syslog Server dialog appears.
    4. Set the Event Profile to 0.
    5. For the Name or IP Address, select the name of the Address Object created above
    6. Set Port to 514. Please note that Huntress SIEM is not compatible with TLS or encrypted syslog messages! You must make sure "Enable TLS" is not checked and the transport protocol cannot be TLS
    7. Set Syslog Format to “Enhanced”
    8. Set Syslog Facility to “Local Use 0”
    9. Click OK
  3. Logging Level Checks
    1. Follow this guide to verify your logging level setting is set to 'inform'. You may not see data unless your logging level is set to inform! Please see "Logging Levels" below for important info!
  4. Enable the Syslog Server
    1. From the Syslog Server list find the one created above
    2. Check the box in the Enable column corresponding to the Syslog Server

 

Logging Levels

The default logging level is Inform if you follow the Device Configuration Checklist above without taking any additional action. This logging level works for most partners and is highly recommended as your starting point. 

Please note: 
Setting logging level to anything below inform may result in sporadic or no data being sent. 
Setting your logging level to anything above inform may result in duplicate sources. 

  • Follow this guide for customizing Firewall and SSL VPN event profiles to customize which events get sent to SIEM.
  • Refer to this guide to customize the log settings and levels that best suit your environment.

 

Example Log Messages

Traffic Log Message

<134>  id=firewall sn=123456789ABC time="2024-09-13 07:51:33" fw=10.0.0.1 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=a1:b2:c3:d4:e5:f6 src=10.0.0.2:58927:X0-V30 srcZone=LAN natSrc=10.0.0.3:39386 dstMac=a1:b2:c3:d4:e5:f6 dst=10.0.0.4:80:X1 dstZone=WAN natDst=10.0.0.5:80 usr="Unknown (SSO failed)" proto=tcp/http sent=693 rcvd=838 sess="Auto" rule="Default Access Rule" app=9 op=1 dstname=ocsp.digicert.com arg=/ME8wTTBLMEkwRzAHBgUrDgMCGgQU6468nUcrfgKRdxkj8qXxwcUeV7UEFLPbSKT5ocXYrjZBzBFjaWIpvEvGAhAMq6rRzsTpfMJmWIHQITj3 code=76 Category="Computer and Internet Security" note="Policy: CFS Default Policy, Info: 6148 " n=308796 fw_action="forward" dpi=0

 

IPS Log Message

<129>  id=firewall sn=123456789ABC time="2024-09-13 07:51:12" fw=10.0.0.1 pri=1 c=32 gcat=3 m=608 srcMac=a1:b2:c3:d4:e5:f6 src=10.0.0.2::X0-V30 srcZone=LAN dstMac=a1:b2:c3:d4:e5:f6 dst=10.0.0.3::X0 dstZone=LAN usr="Unknown (SSO failed)" proto=icmp type=8 icmpCode=0 rcvd=42 sess="Auto" rule="Default Access Rule_8" msg="IPS Detection Alert: ICMP PING, SID: 293, Priority: Low" msg="IPS Detection Alert: ICMP PING" sid=293 ipscat="ICMP PING" ipspri=3  n=113781

Related articles