Log_logSyslogView

Log > Syslog

In addition to the standard event log, the SonicWALL security appliance can send a detailed log to an external Syslog server. The SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514. 

Tip             See RCF 3164 - The BSD Syslog Protocol for more information.

Syslog Analyzers such as SonicWALL ViewPoint or WebTrends Firewall Suite can be used to sort, analyze, and graph the Syslog data. Messages from the SonicWALL security appliance are then sent to the server(s). Up to three Syslog server IP addresses can be added.

Syslog Settings

The following Syslog settings can be configured

• Syslog Facility - Allows you to select the facilities and severities of the messages based on the syslog protocol. 

• Override Syslog Settings with ViewPoint Settings - When using SonicWALL ViewPoint for your reporting solution, select this checkbox to override Syslog settings.

Note         For more information on SonicWALL ViewPoint, go to http://www.sonicwall.com.

• Syslog Format - The following Syslog formats can be specified:

Note         To modify the Syslog format, both ViewPoint and Analyzer must be disabled (on the Log > ViewPoint and Log > Analyzer pages, respectively).

• Default – Use the default SonicWALL Syslog format.

• WebTrends – Use the WebTrends Syslog format. You must have WebTrends software installed on your system.

• Enhanced Syslog  – Use the Enhanced SonicWALL Syslog format. Click the configure icon to specify which categories of Syslog messages will be logged.

• ArcSight – Use the ArcSight Syslog format. A Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages  ArcSight Logger runs on a linux 64-bit platform with CentOS 5.4. Click the configure icon  to specify which categories of Syslog messages will be logged.

Note         If the SonicWALL security appliance is managed by SonicWALL GMS, the Syslog Server fields cannot be configured by the administrator of the SonicWALL security appliance.

• Syslog ID – The Syslog ID field is included in all generated syslog messages, prefixed by "id=." Thus, for the default value of "firewall," all syslog messages will include "id=firewall." The Syslog ID field is disabled when the Override Syslog Settings with Reporting Software Settings option is enabled.

• Enable Event Rate Limiting – This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events.

• Enable Data Rate Limiting – This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events.

Syslog Servers

To add syslog servers to the SonicWALL security appliance

1. Click Add. The Add Syslog Server window is displayed.

2. Type the Syslog server name or IP address in the Name or IP Address field. Messages from the SonicWALL security appliance are then sent to the servers.

3. If your syslog is not using the default port of 514, type the port number in the Port Number field.

4. Click OK.

5. Click Accept to save all Syslog Server settings.