SonicWall® Logs

SonicWall® Logs Direct link to this section

Arctic Wolf® supports syslog server monitoring to enhance your network security. You can configure syslog forwarding from SonicWall® Global Management System (GMS) or your SonicWall® firewall:

• Configure SonicWall® firewall to send logs to Arctic Wolf
• Configure SonicWall® GMS to send logs to Arctic Wolf

Configure SonicWall® firewall to send logs to Arctic Wolf Direct link to this section

1. Configure an Address Object for the Arctic Wolf Sensor.
2. Configure your SonicWall® device for security monitoring.
3. Enable firewall rule change logging.
4. (Optional) Enable enhanced audit logging support.
5. Provide configuration details to Arctic Wolf.

Step 1: Configure an Address Object for the Arctic Wolf sensor Direct link to this section

SonicWall® uses object classes to define entities such as the Arctic Wolf sensor.

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall® device as an administrator.

  2. In the menu bar, click OBJECT.

  3. In the navigation menu, click Match Objects > Addresses > Address objects.

  4. In the Add Address Object dialog box, do the following:

     • Name — Enter an identifiable name for the Arctic Wolf sensor.
     • Zone Assignment — Select the correct zone option.
     • Type — Select Host.
     • IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.

  5. Click Save.

• SonicOS 6.5

  1. Sign in to your SonicWall® device as an administrator.

  2. In the menu bar, click MANAGE.

  3. In the navigation menu, in the Policies section, click Objects > Address Objects.

  4. Click the Address Objects tab.

  5. Click + Add.

  6. In the Add Address Object dialog box, do the following:

     • Name — Enter an identifiable name for the Arctic Wolf sensor.
     • Zone Assignment — Select the correct zone option.
     • Type — Select Host.
     • IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.

  7. Click Add.

Step 2: Configure your SonicWall® device for security monitoring Direct link to this section

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall® device as an administrator.

  2. In the menu bar, click DEVICE.

  3. In the navigation menu, click Log > Syslog.

  4. Click the Syslog Servers tab.

  5. Click + Add.

  6. In the Add Syslog Server dialog box, do the following:

     • Name or IP Address — Select the address object you created in Step 1.
     • Syslog Format — Select Enhanced from the list.

  7. Click Add.

• SonicOS 6.5

  1. Sign in to your SonicWall® device as an administrator.

  2. In the menu bar, click MANAGE.

  3. In the navigation menu, click Log Settings > SYSLOG.

  4. Click ADD.

  5. In the dialog that appears, do the following:

     • Name or IP Address — Select the address object you created in Step 1.
     • Syslog Format — Select Enhanced from the list.

  6. Click OK.

Step 3: Enable firewall rule change logging Direct link to this section

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall® device as an administrator.

  2. In the menu bar, click DEVICE.

  3. In the navigation menu, click Log > Settings.

  4. In the Firewall section, click Security Policy.

  5. Turn on the GUI, Alert, Syslog, and Email toggle for these rules:

     • Rule Deleted
     • Rule Modified
     • Rule Added

  6. Click Accept.

• SonicOS 6.5

  1. Sign in to your SonicWall® device as an administrator.

  2. In the menu bar, click MANAGE.

  3. In the navigation menu, click Log > Settings.

  4. In the Firewall section, click Access Rules.

  5. Turn on the GUI, Alert, Syslog, and Email toggle for these rules:

     • Rule Deleted
     • Rule Modified
     • Rule Added

  6. Click Apply.

Step 4: Enable enhanced audit logging support Direct link to this section

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall® device as an administrator.
  2. In the menu bar, click DEVICE.
  3. In the navigation menu, click Settings > Administration.
  4. Click the Audit / SonicOS API tab.
  5. Turn on the Enhanced Audit Logging toggle.

• SonicOS 6.5

  1. Sign in to your SonicWall® device as an administrator.
  2. In the menu bar, click MANAGE.
  3. In the navigation menu, click Appliance > Base Settings.
  4. Select the Enhanced Audit Logging checkbox.

Step 5: Provide your configuration details to Arctic Wolf Direct link to this section

1. Go to the Arctic Wolf® Unified Portal.

2. Click Help > Open a New Ticket.

3. Include the following information in the message for your Concierge Security® Team (CST):

   • Confirmation that you have completed the steps in this configuration guide.
   • The IP address and/or hostname of the SonicWall® firewall.
   • Any other questions or comments that you have.

4. Click Send Message.

5. Your CST reviews the details and confirms that Arctic Wolf is successfully processing the logs from your SonicWall® firewall.

Configure SonicWall® GMS to send logs to Arctic Wolf Direct link to this section

You can use SonicWall® GMS, a web-based application, to configure and manage multiple SonicWall® firewall appliances from one location.

1. Sign in to the SonicWall® GMS console as an administrator.

2. In the browser, go to gms-ip/appliance/techSupport.html.

3. If a Warning dialog appears, click Accept.

4. In the Configuration File editor section, click Edit.

5. For the server that receives the forwarded logs, do the following:

   • syslog.forwardToHost — Enter the IP address of your Arctic Wolf physical or virtual sensor.
   • syslog.forwardToHostPort — Enter 514.

6. Click Update.

7. Restart the Arctic Wolf virtual or physical sensor.

8. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately.

See also Direct link to this section

• SonicWall® — Understanding Address Objects in SonicOS
• SonicWall® — How can I configure a syslog server on a SOnicWall firewall?
• SonicWall® — Keeping track of changes made to Firewall Rules
• SonicWall® — How can I enable Enhanced Audit Logging SUpport?
• SonicWall® Global Management System Getting Started Guide