Syslog Configuration for SonicWall

Configuration Guide

Overview Direct link to this section

This document describes how to configure your SonicWall firewall to send the necessary logs to Arctic Wolf for monitoring security information.

Configuring an Address object for the Arctic Wolf sensor Direct link to this section

SonicWall uses object classes to define entities such as the Arctic Wolf sensor. To configure an Address object:

For more information, see Understanding Address Objects in SonicOS on the SonicWall website for more information.

  1. Sign in to your SonicWall device as an administrator.
  2. Select Manage > Policies > Objects > Address Objects.
  3. Click Add to open the Add Address Object prompt.
  4. Configure the following options:
    1. Name — Enter an identifiable name for the Arctic Wolf sensor.
    2. Zone Assignment — Select the correct zone option.
    3. Type — Select Host.
    4. IP Address — Enter the management IP address for the Arctic Wolf sensor.
  5. Click Add to save the configuration.
  6. Proceed to Configuring your SonicWall device for security monitoring.

Configuring your SonicWall device for security monitoring Direct link to this section

To configure your SonicWall device for security monitoring:

For more information, see How can I configure a syslog server on a SonicWall firewall? on the SonicWall website for more information.

  1. Sign in to your SonicWall device as an administrator.
  2. Select Device > Log > Syslog.
  3. Click Add to add a new IP address.
  4. Select the Address object you created in Configuring an Address object for the Arctic Wolf sensor.
  5. Click OK to save the configuration.
  6. Proceed to Enabling firewall rule change logging.

Enabling firewall rule change logging Direct link to this section

To enable logging for when an access rule is added, deleted, or modified:

For more information, see Keeping track of changes made to Firewall Rules on the SonicWall website for more information.

  1. Sign in to your SonicWall device as an administrator.
  2. Select Device > Log > Settings..
  3. Navigate to Firewall section and click Security Policy.
  4. Turn on the GUI, Alert, Syslog, and Email toggle for these rules:
    • Rule Deleted
    • Rule Modified
    • Rule Added
  5. Select Accept to save the configuration.
  6. Proceed to Providing configuration details to Arctic Wolf.

Enabling enhanced audit logging support Direct link to this section

To enable enhanced audit logging support for higher level events:

For more information, see How can I enable Enhanced Audit Logging Support? on the SonicWall website for more information.

  1. Sign in to your SonicWall device as an administrator.
  2. Select Manage > Appliance > Base Settings.
  3. Select Enhanced Audit Logging.

Providing configuration details to Arctic Wolf Direct link to this section

To provide the necessary configuration details to Arctic Wolf:

  1. Visit the Arctic Wolf Portal and select Contact your CST.
  2. Include the following information in the message for your Concierge Security® Team (CST):
    • Confirmation that you have completed the steps in this configuration guide.
    • The IP address assigned to the SonicWall firewall.
    • Any other questions or comments that you have.
  3. Select Send. Your CST will review the details and confirm that we are successfully processing the logs from your SonicWall device.