Log_logSyslogView
In addition to the standard event log, the firewall can send a detailed log to an external Syslog server. SonicWALL Syslog captures all log activity and includes every connection source and destination IP address, IP service, and number of bytes transferred.
Syslog Analyzers such as SonicWALL Analyzer, WebTrends, or ArcSight can be used to sort, analyze, and graph the Syslog data. Messages from the firewall are then sent to the Syslog server(s). Up to seven (7) Syslog servers can be connected to the firewall.
The Log > Syslog page enables you to configure the various settings you want when you send the log to a Syslog server. You can choose the Syslog facility and the Syslog format that you want.
Note SonicWALL Syslog support requires an external server running a Syslog daemon on a UDP Port. The default port is UDP Port 514, but you can choose a different port.
Note See RCF 3164 - The BSD Syslog Protocol for more information.
Configuring Syslog Settings
To configure Syslog settings on your firewall:
1. Go to the Log > Syslog page.
2. Under the Syslog Settings heading, from the Syslog Facility menu list, select the Syslog Facility you want.
3. (Optional) If you want to override the Syslog settings and use the reporting software settings, select the Override Syslog Settings with Reporting Software Settings option.
Note When ViewPoint mode or Analyzer mode is enabled, the Override Syslog Settings with Reporting Software Settings option is automatically selected. When this option is checked, the Syslog format is always reset to the Default format.
4. From the Syslog Format menu list, select the Syslog format that you want.
The following Syslog formats are listed:
– Default – Use the default SonicWALL Syslog format.
– WebTrends – Use the WebTrends Syslog format. You must have WebTrends software installed on your system.
– Enhanced Syslog – Use the Enhanced Dell SonicWALL Syslog format.
– ArcSight – Use the ArcSight Syslog format. The Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages.
5. (Optional) Select the Enable Event Rate Limiting if you want it.
This control allows you to enable rate limiting of events to prevent the internal or external logging mechanism from being overwhelmed by log events.
6. (Optional) Select the Enable Data Rate Limiting if you want it.
This control allows you to enable rate limiting of data to prevent the internal or external logging mechanism from being overwhelmed by log events.
To add a Syslog server to the firewall.
1. Go to the Log > Syslog page.
Under the Syslog Servers heading:
2. Click Add. The Add Syslog Server dialog appears.
In the Name or IP Address box, type the server name or the IP address of the Syslog server. Messages from the firewall are then sent to the servers.
4. If your Syslog server does not use default port 514, in the Port Number box, enter the appropriate port number.
5. Click OK.