Versions Compared

Version Old Version 3 New Version Current
Changes made by

Luke Fritz (Unlicensed)

Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

id442578913

...

id442578924

...

Topics Discussed

Table of Contents
maxLevel3
minLevel3

...

Insert excerpt

...

Obtain Log Relay

...

for Remote Log Collection

...

Obtain Log Relay for Remote Log Collection
nameRemote Log Collection

...

Permissions
nopaneltrue

You can use this document to add a remote log collector to a SonicWall remote device (log source).


Pre-Deployment Considerations

...

Before you begin, review the following requirements:

Log Relay

For remote log collection, you must have a Log Relay server on your account.

Assumptions

  • The SonicWall device is running 6.5.X.X

  • Your device is already configured and running the policies that are needed

  • You already have a log relay box set up and configured correctly

  • The security policies for any AWS security groups or firewalls allow traffic on port 10078 to reach the log relay


Configure the SonicWall Device

...

  1. Log into the SonicWall console.

  2. Review the top right corner of the screen, and confirm that Mode is set to Configuration.

...

  1. Image Added

    1. If Non-Config displays, then click the arrow, then click Change mode.

  2. Click Manage.

  3. Under Logs & Reporting, click Log Settings, then click SYSLOG.

    Anchor
    step-5a
    step-5a

...

  1. Image Added

  2. Enter the Syslog Settings as follows:

    1. In Syslog ID, enter the desired identifier.

      • This ID will show up in all syslog logs.

    2. In Syslog Facility, select Local use 0.

    3. In Syslog Format, select Default.

    4. In Maximum Events Per Second, enter 1000.

    5. In Maximum Bytes Per Second, enter 10000000.

  3. In the Syslog Servers section, click Add.

    1. In Event Profile, enter the desired name for the syslog forwarding profile.

      • This will be used again later.

    2. In Name or IP Address, select Create new address object.

...

    1. Image Added

      1. In Name, enter Log Relay.

      2. In Zone Assignment, select DMZ.

      3. In Type, select Host.

      4. In IP Address, enter the IP address of your log relay box.

...

      1. Image Added

      2. Click OK.

    2. In Port, enter 10078.

    3. In Syslog Format, select Default.

    4. In Syslog Facility, select Local Use 0.

    5. In Syslog ID, enter the same Syslog ID that was entered in step 5a.

    6. Leave the Enable Event Rate Limiting and Enable Data Rate Limiting boxes unchecked.

    7. Do not select a Local interface or Outbound Interface for the VPN Tunnel.

...

    1. Image Added

    2. Click OK.

  2. Click Manage,

  3. Under Logs & Reporting, click Log Settings, then click Base Setup.

...

  1. Image Added

  2. Confirm that Logging Level is set to Inform.

  3. Confirm that Alert Level is set to Alert.

...

  1. Image Added

  2. In the Category column, select Network, then select Network Access.

...

  1. Image Added

    1. For the Connection Closed sub-category, set the Priority to Debug.

    2. For Connection Opened sub-category, set the Priority to Debug.

...

    1. Image Added

  2. Locate the Syslog column, then click the green circle to the left of the column until it is fully shaded in dark green.

...

  1. Image Added

    • This will enable forwarding of all syslog logs.|

  2. Click Accept.


Verify Connection in AMP

...

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Log & Data Management, and then select Search.

  3. In the Source column, review the source name to locate the newly created SonicWall remote log source.

    1. In the search field, you can also enter "sonicwall" to locate SonicWall messages.

...