How can I check if SonicWall sends out logs to syslog server and syslog server receives them?

11/25/2022 925 People found this article helpful 487,275 Views

Description

SonicWall Analyzer Reporting Module is a software application that creates dynamic, Web-based network reports. The Analyzer Reporting Module generates both real-time and historical reports to offer a complete view of all activity through SonicWall network security appliances. With Analyzer Reporting, you can monitor network access, enhance security, and anticipate future bandwidth needs.

This article illustrates the process of checking how SonicWall sends out Syslogs on UDP port 514 to the Syslog server existing on the network and also how the Syslog server receives the log files as Syslogs from the SonicWall.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Performing packet capture on SonicWall

Login to the SonicWall web management.1.
Navigate to Monitor | Packet Monitor page in the GUI and click General.

3. In the Monitor Filter tab, specify the below information.

Ether Type(s): IP
IP Type(s): UDP
Destination Port(s): 514
Enable the check box "Enable Bidirectional Address and Port Matching

4. In the Display Filter tab, ensure all the checkboxes are enabled.

5. In the Advanced Monitor Filter tab, enable the checkboxes.

Monitor Firewall Generated Packets. (This will bypass the interface filter)
Monitor Intermediate Packets.

6. Click OK.
7. Click on Start Capture on the captured packets page to see the UDP 514 packets getting generated from SonicWall destined for Syslog server IP address.
Viewing Syslogs on Analyzer

Login to the SonicWall Analyzer sgms management page.
Navigate to the Firewall tab and click Global View.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Login to the SonicWall web management.1.
Navigate to Investigate| Packet monitor page in the GUI and click Configure.

3. In the Monitor Filter tab, specify the below information.

Ether Type(s): IP
IP Type(s): UDP
Destination Port(s): 514
Enable the check box "Enable Bidirectional Address and Port Matching".

4. In the Display Filter tab, ensure all the checkboxes are enabled.
5. In the Advanced Monitor Filter tab, enable the checkboxes.

Monitor Firewall Generated Packets. (This will bypass the interface filter)
Monitor Intermediate Packets.

6. Click OK.
7. Click on Start Capture on the Packet Monitor page to see the UDP 514 packets getting generated from SonicWall destined for the Syslog server IP address

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Performing packet capture on SonicWall

Login to the SonicWall web management.1.
Navigate to System | Packet Monitor page in the GUI and click Configure.
In the Monitor Filter tab, specify the below information.
- Ether Type(s): IP
- IP Type(s): UDP
- Destination Port(s): 514
- Enable the check box "Enable Bidirectional Address and Port Matching
In the Display Filter tab, ensure all the checkboxes are enabled.
In the Advanced Monitor Filter tab, enable the checkboxes.
- Monitor Firewall Generated Packets. (This will bypass the interface filter)
- Monitor Intermediate Packets.
Click OK.
Click on Start Capture on the Packet Monitor page to see the UDP 514 packets getting generated from SonicWall destined for the Syslog server IP address as shown below in the screenshot.

Viewing Syslogs on Analyzer

Login to the SonicWall Analyzer sgms management page.
Navigate to the Firewall tab and click Global View.
Navigate to Real-Time Viewer |Syslog. By default real-time viewer page has Syslog forwarding turned off.
Click Settings to enable Syslog Forwarding.
After enabling the check box Enable Syslog Forwarding, there is a Settings Manager - Message window. Click OK .
Set the Reader IP Address, Reader Port, and Reader Buffer Size to the default and click Update.
Click Start to start real-time syslog reading.
After a few seconds, the Syslogs should be displayed as shown below in the screenshot. This Syslogs confirms that the Syslog server is able to receive Syslogs from SonicWall.