Skip to main content

Syslog - SonicWall Firewall

Jason Phelps
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: SonicWall
SUMMARY: Configuration Guide for SonicWall firewalls using SonicOS

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor

SonicWall

Supported Model Name/Number

SonicWall Firewall

Supported Software Version(s)

SonicOS 6.5.x, SonicOS 7.x

Collection Method

Syslog

Provider Name

Syslog-SonicWall

Additional Information

https://www.sonicwall.com/techdocs/pdf/sonicos-6-5-logs-and-reporting.pdf

https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7.0.1-device_log/Content/introduction.htm

https://www.sonicwall.com/techdocs/pdf/SonicOS-X_7.0.1_LogEvents_ReferenceGuide.pdf

 

 

Device Configuration Checklist

  1. Creating an address object

    1. Go to Network > Address Objects

    2. Click Add

    3. Enter a friendly name for the object. Example: Huntress-SIEM (this will be used later)

    4. Set Zone Assignment to LAN

    5. Set Type to Host

    6. Enter the IP address of the Huntress agent configured to listen for syslog

    7. Click Add

  2. Add a Syslog Server

    1. Go to Device > Log > Syslog page.

    2. Click Syslog Servers tab.

    3. Click Add. The Add Syslog Server dialog appears.

    4. Set the Event Profile to 0.

    5. For the Name or IP Address, select the name of the Address Object created above

    6. Set Port to 514

    7. Set Syslog Format to “Enhanced”

    8. Set Syslog Facility to “Local Use 0”

    9. Click OK

  3. Enable the Syslog Server

    1. From the Syslog Server list find the one created above

    2. Check the box in the Enable column corresponding to the Syslog Server

 

Example Log Messages

 

Traffic Log Message

<134>  id=firewall sn=123456789ABC time="2024-09-13 07:51:33" fw=10.0.0.1 pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=a1:b2:c3:d4:e5:f6 src=10.0.0.2:58927:X0-V30 srcZone=LAN natSrc=10.0.0.3:39386 dstMac=a1:b2:c3:d4:e5:f6 dst=10.0.0.4:80:X1 dstZone=WAN natDst=10.0.0.5:80 usr="Unknown (SSO failed)" proto=tcp/http sent=693 rcvd=838 sess="Auto" rule="Default Access Rule" app=9 op=1 dstname=ocsp.digicert.com arg=/ME8wTTBLMEkwRzAHBgUrDgMCGgQU6468nUcrfgKRdxkj8qXxwcUeV7UEFLPbSKT5ocXYrjZBzBFjaWIpvEvGAhAMq6rRzsTpfMJmWIHQITj3 code=76 Category="Computer and Internet Security" note="Policy: CFS Default Policy, Info: 6148 " n=308796 fw_action="forward" dpi=0

 

IPS Log Message

<129>  id=firewall sn=123456789ABC time="2024-09-13 07:51:12" fw=10.0.0.1 pri=1 c=32 gcat=3 m=608 srcMac=a1:b2:c3:d4:e5:f6 src=10.0.0.2::X0-V30 srcZone=LAN dstMac=a1:b2:c3:d4:e5:f6 dst=10.0.0.3::X0 dstZone=LAN usr="Unknown (SSO failed)" proto=icmp type=8 icmpCode=0 rcvd=42 sess="Auto" rule="Default Access Rule_8" msg="IPS Detection Alert: ICMP PING, SID: 293, Priority: Low" msg="IPS Detection Alert: ICMP PING" sid=293 ipscat="ICMP PING" ipspri=3  n=113781

Related articles