Configuring Syslog Settings

To configure the Syslog settings on your firewall:
1
Go to the Log > Syslog page.
2
The Syslog Facility may be left as the factory default. Optionally, however, in the Syslog Settings section, from the Syslog Facility menu, select the Syslog Facility appropriate to your network:
Kernel
User-Level Messages
Mail System
System Daemons
Security/Authorization Messages
Messages Generated Internally by syslogd
Line Printer Subsystem
Network News Subsystem
UUCP Subsystem
Clock Daemon (BSP Linux)
AUTHPRV Security/Authorization Messages
FTP Daemon
NTP Subsystem
Log Audit
Log Alert
Clock Daemon (Solaris)
Local Use 0
Local Use 1
Local Use 2
Local Use 3
Local Use 4
Local Use 5
Local Use 6
Local Use 7
3
(Optional) To override appliance Syslog settings with Reporting Software settings if you are using Reporting Software, select the Override Syslog Settings with Reporting Software Settings option.
4
From the Syslog Format menu list, select the Syslog format that you want:
Default – Use the default SonicWall Syslog format.
* 
NOTE: Default Syslog Format is required for GMS or Reporting software.
WebTrends – Use the WebTrends Syslog format. You must have WebTrends software installed on your system.
Enhanced Syslog – Use the Enhanced SonicWall Syslog format.
ArcSight – Use the Arcsight Syslog format. The Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages. ArcSight Logger runs on a Linux 64-bit platform with CentOS 5.4.

If you select Enhanced Syslog or Arcsight, the configure icon becomes active. Clicking on the configure icon launches a configuration dialog where you can select the specific settings that you want to log.

5
If you selected:
Default or WebTrends, go to Step 13.
Enhanced Syslog, go to Step 6.
ArcSight, go to Step 10.
6
(Optional) If you selected Enhanced Syslog, click the configure icon. The Enhanced Syslog configuration dialog appears.

7
(Optional) Select the Enhanced Syslog options that you want to log. To select all options, click Select All. To deselect all options, click Clear All.
8
Click Save.
9
Go to Step 13.
10
(Optional) If you selected ArcSight, click the configure icon. The ArcSight configuration dialog appears.

11
(Optional) Select the ArcSight options that you want to log. To select all options, click Select All. To deselect all options, click Clear All.
12
Click Save.
13
In the Syslog ID field, enter the Syslog ID that you want.

A Syslog ID field is included in all generated Syslog messages, prefixed by “id= ". Thus, for the default value, firewall, all Syslog messages include "id=firewall." The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.

* 
NOTE: The Syslog ID field is fixed to firewall when the Override Syslog Settings with Reporting Software Settings option is enabled, and therefore, cannot be modified.
14
(Optional) Select Enable Event Rate Limiting if you want it. This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events. Specify the maximum number of events in the Maximum Events Per Second field; the minimum number is 0, the maximum is 1000, and the default is 1000 per second.
* 
NOTE: Event rate and data rate limiting are applied regardless of Log Priority of individual events.
15
(Optional) Select the Enable Data Rate Limiting if you want it. This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events. Specify the maximum number of bytes in the Maximum Bytes Per Second field; the minimum is number is 0, the maximum is 1000000000, and the default is 10000000 bytes per second.
16
(Optional) Select the Enable NDPP Enforcement for Syslog Server if you want it.
17
When you’ve finished setting the Syslog options, click Accept at the top of the page.