- You can configure a SonicWall firewall to report the logs to a remote Syslog server, specifying the destination port and Syslog facility.
- Since logs cannot be sent via TPC or tagged at the source, it is necessary to report the logs to an In-house Relay which will tag them as firewall.sonicwall.type.subtype and forward to Devo.
- The elements type and subtype are fixed and they identify the type and format of the event.
- These elements can have one of the following values (corresponding to the different log types):
For more information on how tags work, check the Introduction to tags article.
In-house Relay configuration
First step is to install an In-house Relay for the correct tagging of these logs.
Then you can define a new rule where all the events coming to the port (e.g. port 13020) are tagged as firewall.sonicwall.type.subtype.
- This rule should also cover the adding of the corresponding type.subtype to the firewall.sonicwall depending on the events nature.
- This information is extracted from the message using a regular expression. The data captured is used to create the final label for each event.
You must consider the following fields when creating the new rule:
- Source Port → 13020
- Target Tag → firewall.sonicwall
To configure the sending via Syslog in SonicWall, follow these steps:
- Login to the SonicWall device as admin.
- Go to Log → Automation and scroll down to Syslog Servers (or Manage → Log Settings → SYSLOG for SonicOS 6.5 and later).
- Click Add.
- Specify the IP address of the Syslog server in the IP address field and click OK.
- After a couple of seconds, the Syslog server should show the logs from the firewall.