SonicWall Logs

Arctic Wolf® supports syslog server monitoring to enhance your network security. You can configure syslog forwarding from SonicWall® Global Management System (GMS) or your SonicWall firewall:

• Configure SonicWall firewall to send logs to Arctic Wolf
• Configure SonicWall GMS to send logs to Arctic Wolf

Configure SonicWall firewall to send logs to Arctic Wolf

1. Configure an Address Object for the Arctic Wolf Sensor.
2. Configure your SonicWall device for security monitoring.
3. Enable firewall rule change logging.
4. (Optional) Enable enhanced audit logging support.
5. Provide configuration details to Arctic Wolf.

Requirements

• Activated Arctic Wolf Sensor

Step 1: Configure an Address Object for the Arctic Wolf sensor

SonicWall uses object classes to define entities such as the Arctic Wolf sensor.

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall device as an administrator.

  2. In the menu bar, click OBJECT.

  3. In the navigation menu, click Match Objects > Addresses > Address objects.

  4. In the Add Address Object dialog box, do the following:

     • Name — Enter an identifiable name for the Arctic Wolf sensor.
     • Zone Assignment — Select the correct zone option.
     • Type — Select Host.
     • IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.

  5. Click Save.

• SonicOS 6.5

  1. Sign in to your SonicWall device as an administrator.

  2. In the menu bar, click MANAGE.

  3. In the navigation menu, in the Policies section, click Objects > Address Objects.

  4. Click the Address Objects tab.

  5. Click + Add.

  6. In the Add Address Object dialog box, do the following:

     • Name — Enter an identifiable name for the Arctic Wolf sensor.
     • Zone Assignment — Select the correct zone option.
     • Type — Select Host.
     • IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.

  7. Click Add.

Step 2: Configure your SonicWall device for security monitoring

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall device as an administrator.

  2. In the menu bar, click DEVICE.

  3. In the navigation menu, click Log > Syslog.

  4. Click the Syslog Servers tab.

  5. Click + Add.

  6. In the Add Syslog Server dialog box, do the following:

     • Name or IP Address — Select the address object you created in Configure an Address Object for the Arctic Wolf Sensor.
     • Syslog Format — Select Enhanced from the list.

  7. Click Add.

• SonicOS 6.5

  1. Sign in to your SonicWall device as an administrator.

  2. In the menu bar, click MANAGE.

  3. In the navigation menu, click Log Settings > SYSLOG.

  4. Click ADD.

  5. In the dialog that appears, do the following:

     • Name or IP Address — Select the address object you created in Configure an Address Object for the Arctic Wolf Sensor.
     • Syslog Format — Select Enhanced from the list.

  6. Click OK.

Step 3: Enable firewall rule change logging

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall device as an administrator.

  2. In the menu bar, click DEVICE.

  3. In the navigation menu, click Log > Settings.

  4. In the Firewall section, click Security Policy.

  5. Turn on the GUI, Alert, Syslog, and Email toggle for these rules:

     • Rule Deleted
     • Rule Modified
     • Rule Added

  6. Click Accept.

• SonicOS 6.5

  1. Sign in to your SonicWall device as an administrator.

  2. In the menu bar, click MANAGE.

  3. In the navigation menu, click Log > Settings.

  4. In the Firewall section, click Access Rules.

  5. Turn on the GUI, Alert, Syslog, and Email toggle for these rules:

     • Rule Deleted
     • Rule Modified
     • Rule Added

  6. Click Apply.

Step 4: Enable enhanced audit logging support

Based on your SonicOS version, complete one of the following:

• SonicOS 7.x

  1. Sign in to your SonicWall device as an administrator.
  2. In the menu bar, click DEVICE.
  3. In the navigation menu, click Settings > Administration.
  4. Click the Audit / SonicOS API tab.
  5. Turn on the Enhanced Audit Logging toggle.

• SonicOS 6.5

  1. Sign in to your SonicWall device as an administrator.
  2. In the menu bar, click MANAGE.
  3. In the navigation menu, click Appliance > Base Settings.
  4. Select the Enhanced Audit Logging checkbox.

Step 5: Provide your configuration details to Arctic Wolf

1. Go to the Arctic Wolf® Unified Portal.

2. Click Help > Open a New Ticket.

3. Include the following information in the message for your Concierge Security® Team (CST):

   • Confirmation that you have completed the steps in this configuration guide.
   • The IP address and/or hostname of the SonicWall firewall.
   • Any other questions or comments that you have.

4. Click Send Message.

5. Your CST reviews the details and confirms that Arctic Wolf is successfully processing the logs from your SonicWall firewall.

Configure SonicWall GMS to send logs to Arctic Wolf

You can use SonicWall GMS, a web-based application, to configure and manage multiple SonicWall firewall appliances from one location.

Requirements

• Activated Arctic Wolf Sensor
• SonicWall GMS Administrator account

Steps

1. Sign in to the SonicWall GMS console as an administrator.

2. In the browser, go to gms-ip/appliance/techSupport.html.

3. If a Warning dialog appears, click Accept.

4. In the Configuration File editor section, click Edit.

5. For the server that receives the forwarded logs, do the following:

   • syslog.forwardToHost — Enter the IP address of your Arctic Wolf physical or virtual sensor.
   • syslog.forwardToHostPort — Enter 514.

6. Click Update.

7. Restart the Arctic Wolf virtual or physical sensor.

8. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately.

See also

• SonicWall — Understanding Address Objects in SonicOS
• SonicWall — How can I configure a syslog server on a SOnicWall firewall?
• SonicWall — Keeping track of changes made to Firewall Rules
• SonicWall — How can I enable Enhanced Audit Logging SUpport?
• SonicWall Global Management System Getting Started Guide