Adding a Syslog Server

To add a Syslog server to the firewall.

1. Go to Device > Log > Syslog page.
2. Click Syslog Servers tab.
3. Click Add. The Add Syslog Server dialog appears.

   

4. Specify the Event Profile for this server in the Event Profile field. The minimum value is 0 (1 group), the maximum is 23 (24 groups), and the default is 0. Each group can have a maximum of 7 Syslog servers.

   For GMS, the Event Profile must be 0.

5. Select the Syslog server name or IP address from the Name or IP Address drop-down menu. Messages from the firewall are then sent to the servers.
6. If your Syslog server does not use default port 514, type the port number in the Port field.
7. Select the Server Type from the drop-down options. select Syslog Server or Analyzer.
8. From the Syslog Format drop-down menu, select the Syslog format:

   Syslog Formats

   Default	Default SonicWall Syslog format. For GMS, the Syslog format must be Default.
   WebTrends	WebTrends Syslog format. You must have WebTrends software installed on your system.
   Enhanced Syslog	Enhanced SonicWall Syslog format.
   ArcSight	ArcSight Syslog format. The Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages.

9. The Syslog Facility might be left as the factory default. Optionally, however, from the Syslog Facility drop-down menu, select the Syslog Facility appropriate to your network:

   For GMS, the Syslog format must be Local Use 0.

   Syslog Facility

   Kernel	UUCP Subsystem	Local Use 0
   User-Level Messages	Clock Daemon (BSP Linux)	Local Use 1
   Mail System	AUTHPRV Security/Authorization Messages	Local Use 2
   System Daemons	FTP Daemon	Local Use 3
   Security/Authorization Messages	NTP Subsystem	Local Use 4
   Messages Generated Internally by syslogd	Log Audit	Local Use 5
   Line Printer Subsystem	Log Alert	Local Use 6
   Network News Subsystem	Clock Daemon (Solaris)	Local Use 7

10. In the Syslog ID field, enter the Syslog ID. The default is firewall.

    A Syslog ID field is included in all generated Syslog messages, prefixed by id=. Therefore, for the default value, firewall, all Syslog messages include id=firewall. The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.

11. Optionally, to limit events logged and therefore, prevent the internal or external logging mechanism from being overwhelmed by log events, select Enable Event Rate Limiting.

    Event rate limiting is applied regardless of Log Priority of individual events.

    Specify the maximum number of events in the Maximum Events Per Second field; the minimum number is 0, the maximum is 1000, and the default is 1000 per second.

12. Optionally, to limit events logged and therefore, prevent the internal or external logging mechanism from being overwhelmed by log events, select Enable Data Rate Limiting.

    Data rate limiting is applied regardless of Log Priority of individual events.

    Specify the maximum number of bytes in the Maximum Bytes Per Second field; the minimum is number is 0, the maximum is 1000000000, and the default is 10000000 bytes per second. This control limits data logged to prevent the internal or external logging mechanism from being overwhelmed by log events.

13. To Bind To VPN Tunnel and Create Network Monitor Policy in NDPP mode:
    1. Optionally, choose an interface from the Local Interface drop-down menu.
    2. Optionally, choose an Interface from the Outbound Interface drop-down menu.
14. Click Add.