Configure a SonicWall firewall with SonicOS 7.x to send logs to Arctic Wolf

You can configure a SonicWall® firewall with SonicOS 7.x to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

• An activated Arctic Wolf Sensor
• Access to a SonicWall device with administrator permissions

Steps

1. Configure an Address Object for the Arctic Wolf Sensor.
2. Configure your SonicWall device for security monitoring.
3. Enable firewall rule change logging.
4. (Optional) Enable enhanced audit logging support.
5. Provide your SonicWall Firewall information to Arctic Wolf.

Step 1: Configure an Address Object for the Arctic Wolf sensor

1. Sign in to your SonicWall device with administrator permissions.

2. In the menu bar, click OBJECT.

3. In the navigation menu, click Match Objects > Addresses > Address objects.

4. In the Add Address Object dialog, configure these settings:

   • Name — Enter a name for the Arctic Wolf Sensor.
   • Zone Assignment — Select the correct zone.
   • Type — Select Host.
   • IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.

5. Click Save.

Step 2: Configure your SonicWall device for security monitoring

1. Sign in to your SonicWall device as an administrator.

2. In the menu bar, click DEVICE.

3. In the navigation menu, click Log > Syslog.

4. Click the Syslog Servers tab.

5. Click + Add.

6. In the Add Syslog Server dialog, configure these settings:

   • Name or IP Address — Select the address object from Configure an Address Object for the Arctic Wolf Sensor.
   • Syslog Format — Select Enhanced.

7. Click Add.

Step 3: Enable firewall rule change logging

1. Sign in to your SonicWall device with administrator permissions.

2. In the menu bar, click DEVICE.

3. In the navigation menu, click Log > Settings.

4. In the Firewall section, click Security Policy.

5. Click the GUI, Alert, Syslog, and Email toggles to the on position for these rules:

   • Rule Deleted
   • Rule Modified
   • Rule Added

6. Click Accept.

Step 4: Enable enhanced audit logging support

This step is optional.

1. Sign in to your SonicWall device with administrator permissions.
2. In the menu bar, click DEVICE.
3. In the navigation menu, click Settings > Administration.
4. Click the Audit / SonicOS API tab.
5. Click the Enhanced Audit Logging toggle to the on position.

Step 5: Provide your SonicWall Firewall information to Arctic Wolf

1. Sign in to the Arctic Wolf® Unified Portal.

2. Click Help > Open a New Ticket.

3. On the Open a New Ticket page, configure these settings:

   • What is this ticket related to? — Select General request.
   • Subject — Enter Syslog changes.
   • Related ticket (optional) — Keep blank.
   • Message — Enter this information for your Concierge Security® Team (CST):
     • Confirmation that you completed the steps in this configuration guide.
     • The IP address or hostname you used during the configuration.
     • Any questions or comments that you have.

4. Click Send Message.

   Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.

See also

• Configure SonicWall to send logs to Arctic Wolf