The tags beginning with firewall.sonicwall identify log events generated by the SonicWall Firewall (SonicOS).
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.
The full tag must have at least three levels. The first two are fixed as firewall.sonicwall. The third level identifies the SonicOS version and must be one of general or genv58.
Therefore, the valid tags are:
For more information, read more about Devo tags.
Devo Relay rule
Then you should define a new rule where all the events received on a specified port are tagged with the correct firewall.sonicwall tag.
- Source Port → 13020 (you can use any port that is free on your relay)
- Target Tag → firewall.sonicwall
To configure the sending of log events to a remote syslog server (in this case, the Devo Relay), see the vendor documentation.