SonicWall® Logs
SonicWall® Logs Direct link to this section
Arctic Wolf® supports syslog server monitoring to enhance your network security. You can configure syslog forwarding from SonicWall® Global Management System (GMS) or your SonicWall® firewall:
- Configure SonicWall® firewall to send logs to Arctic Wolf
- Configure SonicWall® GMS to send logs to Arctic Wolf
Configure SonicWall® firewall to send logs to Arctic Wolf Direct link to this section
- Configure an Address Object for the Arctic Wolf Sensor.
- Configure your SonicWall® device for security monitoring.
- Enable firewall rule change logging.
- (Optional) Enable enhanced audit logging support.
- Provide configuration details to Arctic Wolf.
Step 1: Configure an Address Object for the Arctic Wolf sensor Direct link to this section
SonicWall® uses object classes to define entities such as the Arctic Wolf sensor.
Based on your SonicOS version, complete one of the following:
-
SonicOS 7.x
-
Sign in to your SonicWall® device as an administrator.
-
In the menu bar, click OBJECT.
-
In the navigation menu, click Match Objects > Addresses > Address objects.
-
In the Add Address Object dialog box, do the following:
- Name — Enter an identifiable name for the Arctic Wolf sensor.
- Zone Assignment — Select the correct zone option.
- Type — Select Host.
- IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.
-
Click Save.
-
-
SonicOS 6.5
-
Sign in to your SonicWall® device as an administrator.
-
In the menu bar, click MANAGE.
-
In the navigation menu, in the Policies section, click Objects > Address Objects.
-
Click the Address Objects tab.
-
Click + Add.
-
In the Add Address Object dialog box, do the following:
- Name — Enter an identifiable name for the Arctic Wolf sensor.
- Zone Assignment — Select the correct zone option.
- Type — Select Host.
- IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.
-
Click Add.
-
Step 2: Configure your SonicWall® device for security monitoring Direct link to this section
Based on your SonicOS version, complete one of the following:
-
SonicOS 7.x
-
Sign in to your SonicWall® device as an administrator.
-
In the menu bar, click DEVICE.
-
In the navigation menu, click Log > Syslog.
-
Click the Syslog Servers tab.
-
Click + Add.
-
In the Add Syslog Server dialog box, do the following:
- Name or IP Address — Select the address object you created in Step 1.
- Syslog Format — Select Enhanced from the list.
-
Click Add.
-
-
SonicOS 6.5
-
Sign in to your SonicWall® device as an administrator.
-
In the menu bar, click MANAGE.
-
In the navigation menu, click Log Settings > SYSLOG.
-
Click ADD.
-
In the dialog that appears, do the following:
- Name or IP Address — Select the address object you created in Step 1.
- Syslog Format — Select Enhanced from the list.
-
Click OK.
-
Step 3: Enable firewall rule change logging Direct link to this section
Based on your SonicOS version, complete one of the following:
-
SonicOS 7.x
-
Sign in to your SonicWall® device as an administrator.
-
In the menu bar, click DEVICE.
-
In the navigation menu, click Log > Settings.
-
In the Firewall section, click Security Policy.
-
Turn on the GUI, Alert, Syslog, and Email toggle for these rules:
- Rule Deleted
- Rule Modified
- Rule Added
-
Click Accept.
-
-
SonicOS 6.5
-
Sign in to your SonicWall® device as an administrator.
-
In the menu bar, click MANAGE.
-
In the navigation menu, click Log > Settings.
-
In the Firewall section, click Access Rules.
-
Turn on the GUI, Alert, Syslog, and Email toggle for these rules:
- Rule Deleted
- Rule Modified
- Rule Added
-
Click Apply.
-
Step 4: Enable enhanced audit logging support Direct link to this section
Based on your SonicOS version, complete one of the following:
-
SonicOS 7.x
- Sign in to your SonicWall® device as an administrator.
- In the menu bar, click DEVICE.
- In the navigation menu, click Settings > Administration.
- Click the Audit / SonicOS API tab.
- Turn on the Enhanced Audit Logging toggle.
-
SonicOS 6.5
- Sign in to your SonicWall® device as an administrator.
- In the menu bar, click MANAGE.
- In the navigation menu, click Appliance > Base Settings.
- Select the Enhanced Audit Logging checkbox.
Step 5: Provide your configuration details to Arctic Wolf Direct link to this section
-
Go to the Arctic Wolf® Unified Portal.
-
Click Help > Open a New Ticket.
-
Include the following information in the message for your Concierge Security® Team (CST):
- Confirmation that you have completed the steps in this configuration guide.
- The IP address and/or hostname of the SonicWall® firewall.
- Any other questions or comments that you have.
-
Click Send Message.
-
Your CST reviews the details and confirms that Arctic Wolf is successfully processing the logs from your SonicWall® firewall.
Configure SonicWall® GMS to send logs to Arctic Wolf Direct link to this section
Note: Depending on log settings, this configuration may cause limitations for alerting. Please discuss this configuration with your CST or Deployment representative for alternatives.
You can use SonicWall® GMS, a web-based application, to configure and manage multiple SonicWall® firewall appliances from one location.
-
Sign in to the SonicWall® GMS console as an administrator.
-
In the browser, go to gms-ip/appliance/techSupport.html.
-
If a Warning dialog appears, click Accept.
-
In the Configuration File editor section, click Edit.
-
For the server that receives the forwarded logs, do the following:
- syslog.forwardToHost — Enter the IP address of your Arctic Wolf physical or virtual sensor.
- syslog.forwardToHostPort — Enter 514.
-
Click Update.
-
Restart the Arctic Wolf virtual or physical sensor.
-
Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately.
See also Direct link to this section
- SonicWall® — Understanding Address Objects in SonicOS
- SonicWall® — How can I configure a syslog server on a SOnicWall firewall?
- SonicWall® — Keeping track of changes made to Firewall Rules
- SonicWall® — How can I enable Enhanced Audit Logging SUpport?
- SonicWall® Global Management System Getting Started Guide