• SonicOS 7.1
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• About Device
  • Device Log Introduction
• Settings
  • Filtering the Base Setup View
  • Configuring the Logging and Alert Levels
    • Setting the Logging Level
    • Setting the Alert Level
  • About Other Top Row Buttons
    • Edit Attributes of All Categories
    • Reset All Event Counts
    • Save Template
    • Import Template
      • Default Template
      • Minimal Template
      • Analyzer/ViewPoint/GMS Template
      • Firewall Action Template
      • Custom Template
    • View Logs
  • About the Log Settings Base Setup Table
    • Category Column
    • Color Column
    • ID Column
    • Priority Column
    • GUI Column
    • Alert Column
    • Syslog Column
    • Internet Protocol Flow Information Export (IPFIX) Column
    • Email Column
    • Event Count Column
    • Edit and Reset Count Icons
  • Configuring Event Attributes Globally
  • Configuring Event Attributes Selectively
    • Configuring Event Attributes by Category
    • Configuring Event Attributes by Group
    • Configuring Event Attributes by Event
    • About Filename Logging
• Syslog
  • About Event Profiles
  • About Syslog Server Profiling
  • Using a GMS/Analytics Server for Syslog
  • Syslog Settings
  • Syslog Servers
    • Adding a Syslog Server
    • Editing a Syslog Server
    • Enabling Syslog Servers
    • Disabling Syslog Server
    • Deleting Syslog Servers
• Automation
  • Email Settings
  • Mail Server Settings
  • FTP Log Automation
• Name Resolution
• Reports
  • Data Collection
  • View Data
  • Backup Logs Information
• AWS
  • Enabling AWS Logs
• SonicWall Support
  • About This Document

Adding a Syslog Server

To add a Syslog server to the firewall.

1. Go to Device > Log > Syslog page.
2. Click Syslog Servers tab.
3. Click Add. The Add Syslog Server dialog appears.

   

4. Specify the Event Profile for this server in the Event Profile field. The minimum value is 0 (1 group), the maximum is 23 (24 groups), and the default is 0. Each group can have a maximum of 7 Syslog servers.

   For GMS, the Event Profile must be 0.

5. Select the Syslog server name or IP address from the Name or IP Address drop-down menu. Messages from the firewall are then sent to the servers.
6. If your Syslog server does not use default port 514, type the port number in the Port field.
7. Select the Server Type from the drop-down options. select Syslog Server or Analyzer.
8. From the Syslog Format drop-down menu, select the Syslog format:

   Syslog Formats

   Default	Default SonicWall Syslog format. For GMS, the Syslog format must be Default.
   WebTrends	WebTrends Syslog format. You must have WebTrends software installed on your system.
   Enhanced Syslog	Enhanced SonicWall Syslog format.
   ArcSight	ArcSight Syslog format. The Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages.

9. The Syslog Facility might be left as the factory default. Optionally, however, from the Syslog Facility drop-down menu, select the Syslog Facility appropriate to your network:

   For GMS, the Syslog format must be Local Use 0.

   Syslog Facility

   Kernel	UUCP Subsystem	Local Use 0
   User-Level Messages	Clock Daemon (BSP Linux)	Local Use 1
   Mail System	AUTHPRV Security/Authorization Messages	Local Use 2
   System Daemons	FTP Daemon	Local Use 3
   Security/Authorization Messages	NTP Subsystem	Local Use 4
   Messages Generated Internally by syslogd	Log Audit	Local Use 5
   Line Printer Subsystem	Log Alert	Local Use 6
   Network News Subsystem	Clock Daemon (Solaris)	Local Use 7

10. In the Syslog ID field, enter the Syslog ID. The default is firewall.

    A Syslog ID field is included in all generated Syslog messages, prefixed by id=. Therefore, for the default value, firewall, all Syslog messages include id=firewall. The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.

11. Optionally, to limit events logged and therefore, prevent the internal or external logging mechanism from being overwhelmed by log events, select Enable Event Rate Limiting.

    Event rate limiting is applied regardless of Log Priority of individual events.

    Specify the maximum number of events in the Maximum Events Per Second field; the minimum number is 0, the maximum is 1000, and the default is 1000 per second.

12. Optionally, to limit events logged and therefore, prevent the internal or external logging mechanism from being overwhelmed by log events, select Enable Data Rate Limiting.

    Data rate limiting is applied regardless of Log Priority of individual events.

    Specify the maximum number of bytes in the Maximum Bytes Per Second field; the minimum is number is 0, the maximum is 1000000000, and the default is 10000000 bytes per second. This control limits data logged to prevent the internal or external logging mechanism from being overwhelmed by log events.

13. To Bind To VPN Tunnel and Create Network Monitor Policy in NDPP mode:
    1. Optionally, choose an interface from the Local Interface drop-down menu.
    2. Optionally, choose an Interface from the Outbound Interface drop-down menu.
14. Click Add.