¶ SonicWALL
Does this information look incorrect or out-of-date? Please contact us at support@socos.io.
The Dell SonicWALL security appliance can send event messages to an external, user-configured Syslog server for viewing. The Syslog message format can be selected in Syslog Settings and the destination Syslog Servers can be specified in the table of Syslog Servers. By default this is 514, but can be changed to one appropriate for SOC.OS Agent (eg 2514)
The Log > Syslog page enables you to configure the various settings you want, when you send the log to a Syslog server. You can choose the Syslog facility (classification type) and the Syslog format that you want.
If you are using Dell SonicWALL’s Global Management System (GMS) to manage your firewall, the Syslog Format is fixed to Default and the Syslog ID is fixed to firewall. Thus, these fields are greyed-out and can't be modified. All other fields, however, can still be customized as needed.
¶ Configuration
To configure Syslog settings on your firewall:
- Go to the Log > Syslog page.
- The Syslog Facility may be left as the factory default. Optionally, however, in the Syslog Settings section, from the Syslog Facility menu, select the Syslog Facility appropriate to your network:
- Kernel
- User-Level Messages
- Mail System
- System Daemons
- Security/Authorization Messages
- Messages Generated Internally by syslogd
- Line Printer Subsystem
- Network News Subsystem
- UUCP Subsystem
- Clock Daemon (BSP Linux)
- AUTHPRV Security/Authorization Messages
- FTP Daemon
- NTP Subsystem
- Log Audit
- Log Alert
- Clock Daemon (Solaris)
- Local Use 0
- Local Use 1
- Local Use 2
- Local Use 3
- Local Use 4
- Local Use 5
- Local Use 6
- Local Use 7
- From the Syslog Format menu list, select the Syslog format to use ArcSight – SOC.OS is configured to parse ArcSight CEF format alerts.
When you select Arcsight, the Configure icon becomes active. Clicking on the configure icon launches a configuration dialog where you can select the specific settings that you want to log. - Click the Configure icon. ArcSight CEF fields Settings configuration window appears.
- Select the ArcSight options that you want to log, in most cases for SOC.OS this will be all. To select all options, click Select All.
- Click Save.
- In the Syslog ID box, enter the Syslog ID that you want.
A Syslog ID field is included in all generated Syslog messages, prefixed by “id= ". Thus, for the default value, firewall, all Syslog messages include "id=firewall." The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.
The Syslog ID field is fixed to firewall when the Override Syslog Settings with Reporting Software Settings option is enabled, and therefore, cannot be modified.
- (Optional) Select Enable Event Rate Limiting if you want it. This control allows you to enable rate limiting of events to prevent the internal or external (SOC.OS agent) logging mechanism from being overwhelmed by log events. Specify the maximum number of events in the Maximum Events Per Second field; the minimum number is 0, the maximum is 1000, and the default is 1000 per second.
Event rate and data rate limiting are applied regardless of Log Priority of individual events.
-
(Optional) Select the Enable Data Rate Limiting if you want it. This control allows you to enable rate limiting of data to prevent the internal or external (SOC.OS agent) logging mechanism from being overwhelmed by log events. Specify the maximum number of bytes in the Maximum Bytes Per Second field; the minimum is number is 0, the maximum is 1000000000, and the default is 10000000 bytes per second.
-
When you’ve finished setting the Syslog options, click Accept at the top of the page.
-
To configure specific alert levels that will be forwarded to SOC.OS, visit the Log>Settings page
-
The Logging Level allows you to filter events by priority. Events with equal or greater priority are passed. Events with a lower priority are dropped. This enables you to filter out lower level priorities to prevent them being logged in the system and sent to SOC.OS
On the Log > Settings page, you can set the baseline logging level to be displayed on the Log Monitor page. The following logging levels are available for selection:- Emergency
- Alert
- Critical
- Error
- Warning
- Notice
- Inform
- Debug
-
To set the logging level:
- Go to the Log > Settings page.
- From the Logging Level menu, select the logging level you want, this should be Warning and above for SOC.OS
-
To enable the Syslog forwarding of alerts for, On the Log > Settings page, the columns show the main event attributes that can be configured on different levels: category, group, or each event.
-
Set the Event Attributes by category level by selecting a specific category and clicking the Configure button to launch the Edit Log Category window. You can then select the Syslog checkbox for specific categories . Any changes done here apply to all groups and all events within the selected category.
¶ References
http://help.sonicwall.com/help/sw/eng/7020/26/2/3/content/Log_Syslog.120.2.htm
http://help.sonicwall.com/help/sw/eng/9620/26/2/4/content/Log_Settings.137.3.html