The tag used to label the logs from SonicWall firewall is  firewall.sonicwall.type.subtype.
  • You can configure a SonicWall firewall to report the logs to a remote Syslog server, specifying the destination port and Syslog facility.
  • Since logs cannot be sent via TPC or tagged at the source, it is necessary to report the logs to an In-house Relay which will tag them as firewall.sonicwall.type.subtype and forward to Devo.

Tag structure

  • The elements type and subtype are fixed and they identify the type and format of the event.
  • These elements can have one of the following values (corresponding to the different log types):
    • firewall.sonicwall.general

For more information on how tags work, check the Introduction to tags article.

In-house Relay configuration

First step is to install an In-house Relay for the correct tagging of these logs.

Then you can define a new rule where all the events coming to the port (e.g. port 13020) are tagged as firewall.sonicwall.type.subtype.

  • This rule should also cover the adding of the corresponding type.subtype to the firewall.sonicwall depending on the events nature. 
  • This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event.

You must consider the following fields when creating the new rule:

  • Source Port → 13020
  • Target Tag → firewall.sonicwall

SonicWall configuration

To configure the sending via Syslog in SonicWall, follow these steps:

  1. Login to the SonicWall device as admin.
  2. Go to Log → Automation and scroll down to Syslog Servers (or Manage → Log Settings → SYSLOG for SonicOS 6.5 and later).
  3. Click Add.
  4. Specify the IP address of the Syslog server in the IP address field and click OK.
  5. After a couple of seconds, the Syslog server should show the logs from the firewall.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.