Create a Remote Log Source - SonicWall

Topics Discussed

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

• Write Virtual Machine

• Delete Log Management

• Read Log Endpoints

• Read Log Relays

• Write Log Relays

• Delete Log Relays

You can use this document to add a remote log collector to a SonicWall remote device (log source).

Pre-Deployment Considerations

Before you begin, review the following requirements:

Log Relay

For remote log collection, you must have a Log Relay server on your account.

• To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.

Assumptions

• The SonicWall device is running 6.5.X.X

• Your device is already configured and running the policies that are needed

• You already have a log relay box set up and configured correctly

• The security policies for any AWS security groups or firewalls allow traffic on port 10078 to reach the log relay

Configure the SonicWall Device

1. Log into the SonicWall console.

2. Review the top right corner of the screen, and confirm that Mode is set to Configuration.

   

   1. If Non-Config displays, then click the arrow, then click Change mode.

3. Click Manage.

4. Under Logs & Reporting, click Log Settings, then click SYSLOG.

   

5. Enter the Syslog Settings as follows:

   1. In Syslog ID, enter the desired identifier.

      • This ID will show up in all syslog logs.

   2. In Syslog Facility, select Local use 0.

   3. In Syslog Format, select Default.

   4. In Maximum Events Per Second, enter 1000.

   5. In Maximum Bytes Per Second, enter 10000000.

6. In the Syslog Servers section, click Add.

   1. In Event Profile, enter the desired name for the syslog forwarding profile.

      • This will be used again later.

   2. In Name or IP Address, select Create new address object.

      

      1. In Name, enter Log Relay.

      2. In Zone Assignment, select DMZ.

      3. In Type, select Host.

      4. In IP Address, enter the IP address of your log relay box.

         

      5. Click OK.

   3. In Port, enter 10078.

   4. In Syslog Format, select Default.

   5. In Syslog Facility, select Local Use 0.

   6. In Syslog ID, enter the same Syslog ID that was entered in step 5a.

   7. Leave the Enable Event Rate Limiting and Enable Data Rate Limiting boxes unchecked.

   8. Do not select a Local interface or Outbound Interface for the VPN Tunnel.

      

   9. Click OK.

7. Click Manage,

8. Under Logs & Reporting, click Log Settings, then click Base Setup.

   

9. Confirm that Logging Level is set to Inform.

10. Confirm that Alert Level is set to Alert.

    

11. In the Category column, select Network, then select Network Access.

    

    1. For the Connection Closed sub-category, set the Priority to Debug.

    2. For Connection Opened sub-category, set the Priority to Debug.

       

12. Locate the Syslog column, then click the green circle to the left of the column until it is fully shaded in dark green.

    

    • This will enable forwarding of all syslog logs.|

13. Click Accept.

Verify Connection in AMP

1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

2. Click Log & Data Management, and then select Search.

3. In the Source column, review the source name to locate the newly created SonicWall remote log source.

   1. In the search field, you can also enter "sonicwall" to locate SonicWall messages.