log_syslog

Log > Syslog

In addition to the standard event log, the Dell SonicWALL security appliance can send a detailed log to an external Syslog server. The Dell SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred. The Dell SonicWALL Syslog support requires an external server running a Syslog daemon on UDP Port 514.

Tip See RCF 3164 - The BSD Syslog Protocol for more information.

Syslog Analyzers such as the default Dell SonicWALL Syslog or the WebTrends Firewall Suite can be used to sort, analyze, and graph Syslog data. Messages from the Dell SonicWALL security appliance are then sent to the server(s). Up to three Syslog servers can be connected.

The following graphic shows the Log > Syslog page.

Syslog Settings

The Log > Syslog page enables you to configure the various settings you want when you send the log to a Syslog server. You can choose the Syslog Facility and the Syslog Format that you want.

Note If you are using Dell SonicWALL’s Global Management System (GMS) to manage your firewall, the Syslog Server fields cannot be configured by the firewall administrator.

 

To configure the Syslog settings on your firewall:

1. Go to the Log > Syslog page.

Under the Syslog Settings heading:

2. From the Syslog Facility menu list, select the Syslog Facility that you want.

3. (Optional) If you want to override the Syslog settings and use the reporting software settings, select the Override Syslog Settings with Reporting Software Settings option.
The following Syslog facilities are listed:

• Kernel Messages

• User-Level Messages

• Mail System

• System Daemons

• Security/Authorization Messages

• Messages Generated Internally by Syslog

• Line Printer Subsystem

• Network News Subsystem

• UUCP Subsystem

• Clock Daemon

• Security/Authorization Messages

• FTP Daemon

• NTP Subsystem

• Log Audit

• Log Alert

• Clock Daemon

• Local Use 0 (Local0)

• Local Use 1 (Local1)

• Local Use 2 (Local2)

• Local Use 3 (Local3)

• Local Use 4 (Local4)

• Local Use 5 (Local5)

• Local Use 6 (Local6)

• Local Use 7 (Local7)

 

4. From the Syslog Format menu list, select the Syslog format that you want.
The following Syslog formats are listed:

Default – Use the default Dell SonicWALL Syslog format.

WebTrends – Use the WebTrends Syslog format. You must have WebTrends software installed on your system.

Enhanced Syslog – Use the Enhanced Dell SonicWALL Syslog format.

ArcSight – Use the Arcsight Syslog format. The Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages. ArcSight Logger runs on a linux 64-bit platform with CentOS 5.4.

When you select Enhanced Syslog or Arcsight, the configure icon syslog_format_config.jpg becomes active. Clicking on the configure icon launches a configuration dialog where you can select the specific settings that you want to log.

5. (Optional) If you selected Enhanced Syslog, click the configure icon syslog_format_config00321.jpg.
Enhanced Syslog configuration dialog appears.

syslog_enhanced_dialog.png

 

6. (Optional) Select the Enhanced Syslog options that you want to log.

7. (Optional) If you selected ArcSight, click the configure icon syslog_format_config00322.jpg.
ArcSight configuration dialog appears.

syslog_arcsight_dialog.png

 

8. (Optional) Select the ArcSight options that you want to log.

9. In the Syslog ID box, enter the Syslog ID that you want.

A Syslog ID field is included in all generated Syslog messages, prefixed by “id= ". Thus, for the default value, firewall, all Syslog messages include "id=firewall." The Syslog ID field is disabled when the Override Syslog Settings with Reporting Software Settings option is enabled.

10. (Optional) Select the Enable Event Rate Limiting if you want it.
This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events.

11. (Optional) Select the Enable Data Rate Limiting if you want it.
This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events.

Syslog Servers

To add syslog servers to the Dell SonicWALL security appliance

1. Click Add. The Add Syslog Server window is displayed.

Type the Syslog server name or IP address in the Name or IP Address field. Messages from the Dell SonicWALL security appliance are then sent to the servers.

3. If your syslog is not using the default port of 514, type the port number in the Port Number field.

4. Click OK.

5. Click Accept to save all Syslog Server settings.