en-US
search-icon

GMS 8.3 Admin Guide

Monitoring

Using Navigation and Monitoring Tools

The SonicWall™ Global Management System (GMS) Monitor tab is used for real time monitoring of SonicWall appliances, VPN Tunnels, network devices, and syslog information.

This contains the following:

Net Monitor

The GMS Net Monitor periodically tests the status of SonicWall appliances and other network devices. When configured, it enables you to monitor the status of your network and immediately respond when SonicWall appliances and other network devices become unavailable.

The Net Monitor enables you to categorize different groups of SonicWall appliances or other network devices. You can categorize them by device type, geography, or any other organizational scheme. Additionally, you can assign devices within each category a high, medium, or low priority.

The following graphic shows the main Net Monitor page:

When you add a new device to your monitor, you are able to select a category, priority level, how often the device is tested, and the type of test that is used. The Net Monitor currently supports five types of tests: Ping, TCP Probe, HTTP, HTTPS, and SNMP.

You can toggle between the main view of the Net Monitor page and the Dashboard view by clicking . The following graphic shows the Dashboard view:

Configuring the Net Monitor

This section contains the following subsections:

Navigating the Net Monitor UI

The previous graphic shows the main page of the Net Monitor in which there are High, Medium and Low priority devices. To switch between categories, click a category tab. To reconfigure the settings for a device, right-click the device and select Properties.

The Status Display shows the status of all devices within the category. If all devices are reachable, all three displays will be green.

To change the priority for a device, drag and drop its icon to a new Priority Category. To move a device between categories, drag its icon to the tab of the new category and drop it in the appropriate Priority Category.

Finding Devices

GMS NetMonitor gives you the ability to search for devices using the Find feature:

1
In the menu bar, go to Edit > Find. The Find window displays.

2
Type a search string in the Look For field.
3
You can optionally choose to Match case or to find only the Whole word in your search.
4
Click Find to search all views for your search term, results are displayed in the figure that follows.
5
Double-click on the device you wish to display and it is found highlighted in the NetMonitor window.
* 
NOTE: After making an initial search, you can use F3 (find next) and Shift+F3 (find previous) to move easily between found devices without having to keep the Find window open.

Viewing Device Status

GMS NetMonitor provides the ability to view device status for all monitored devices:

1
In the NetMonitor window, select the device(s) you wish to view device status for.
2
In the menu bar, go to Tools > Status.
3
The Device Status window displays device specific attributes.

 
 
* 
NOTE: Multiple Device Status windows might be opened simultaneously.

Configuring Preferences

To configure Net Monitor preferences, complete the following steps:
1
In the NetMonitor window, select Preferences from the Tools Menu.

 
2
To view each category on its own page, select Each from the View Type list box. To view all categories on one page, select All.
3
To configure the Net Monitor to automatically refresh the status of monitored devices, select Enable auto refresh while loading and specify the refresh interval.
4
In the Monitor tab of the Preferences window, select a Minimum Severity to Show Alert in Dashboard from the pull-down menu.
5
Pick a domain to view by selecting from the pull-down list. Note that this field is applicable only to the users with Super Admin access, and must be selected from this dialog box in order to view devices in other domains. Users without Super Admin access are only able to view devices in their own domain.
6
In the Filters tab, select which devices to display in the Show devices by status area. To view all devices, click Select All.

 
7
In the Table tab, select Default to view the default table color. To pick a custom color, select Custom and choose a color from the color selector.
8
Specify the Column count and Row height to display for each priority.

 
9
When you are finished, click Apply. To cancel and start over, click Cancel.

Managing Categories and Devices on the Net Monitor

This section contains the following subsections:

 

Defining Categories

To create a new category, complete the following steps:
1
From the Net Monitor main page, select Add Category from the Category Menu.

 
2
The Add Category screen displays. Enter the name of the new category in the Name field.

 
3
When you are finished, click Apply. To cancel and start over, click Cancel.
4
Repeat this procedure for each category to add. This new category appears in the main toolbar of the Net Monitor page.

 

Editing Categories

To edit an existing category, complete the following steps:
1
From the Net Monitor main page, select Edit Category from the Category Menu.

 
2
Select the category name you want to change from the list.
3
Enter a new name for the selected category in the Name field.

 
4
When you are finished, click Apply. To cancel and start over, click Cancel.

Deleting Categories

To delete an existing category, complete the following steps:
1
From the Net Monitor main page, select Delete Category from the Categories Menu.

 
2
From the list provided, select the category name (shift-click for multiple category names) you want to delete.
3
Select Forcibly delete all devices under category to delete all devices in this category.

 
* 
NOTE: A warning message displays when selecting Forcibly delete all devices under category. Click Yes to continue and delete this category.
4
To submit the delete request, click Apply. To cancel and start over, click Cancel.

Re-ordering Categories

To change the order of an existing category, complete the following steps:
1
From the Net Monitor main page, select Order Category from the Category Menu.

2
From the list provided, select the category name you want to move.
3
Click Move Up or Move Down to change the order of this category.

 
4
Click Apply to finish. To cancel and start over, click Cancel.

Adding SonicWall Appliances

To add one or more SonicWall appliances, complete the following steps:
1
From the Net Monitor page, select Add GMS Device from the File Menu.

2
Select a device or group to monitor and click Add in the center of the screen. Repeat this step for each device or group to monitor.

 
3
Click Next. The second page of the Add GMS Device Wizard appears.

 
4
Select the category to which the SonicWall appliance(s) are added from the Use an Existing Category list box. To add the SonicWall appliance(s) to a new category, enter the category name in the Add a New Category field.
5
Select the priority of the appliance(s) from the Category Priority list box.
6
Select how the SonicWall appliance(s) are monitored from the Monitoring Type list box and specify a Port if applicable.

If choosing SNMP as the monitoring type, you must enter a Monitor Port. Configure the following advanced settings by clicking Advanced.

 
 

Advanced settings

Community

The community name. (default value is “public”).

Retry

Time to retry, in seconds (default value is “0”).

Timeout

Timeout length, in seconds (default value is “5”).

SNMP Version

Choose the version of SNMP to be used (default value is “V2C”).

MIB(s)*

Select the MIB(s) you wish to use for polling information (RFC1213-MIB is the default MIB and cannot be de-selected).

User Name

Enter a user name (SNMP v3 only).

Authentication Protocol

Select an authentication protocol form the list (SNMP v3 only).

Authentication Password

Enter an authentication password (SNMP v3 only).

Privacy Password

Enter a privacy password (SNMP v3 only).

Context ID

Enter a context ID (SNMP v3 only).

Context Name

Enter a context name (SNMP v3 only).

* 
NOTE: Use extra caution when specifying the Retry and Timeout values, as the SNMP follows the “Exponential Back Off” algorithm to calculate the retry and timeout values. With this algorithm, the specified Timeout value increases exponentially with the retry value.
7
Press OK to save SNMP advanced settings.
8
Specify how often the SonicWall appliance(s) will be tested in the Polling Interval field.
9
Enter the ideal response time (IRT) in the Ideal Response Time field (default: 500 milliseconds). SonicWall appliances that take between 1 and 1.5 times the IRT are marked as Slow. SonicWall appliances that take between 1.5 and 2 times the IRT are marked as Very Slow.
10
Select the Agent that completes the testing from the Assign to Monitor list box.
11
Optional. To disable monitoring of the SonicWall appliance(s), select Disable.
12
To change the icon image that represents the device(s), click the icon image button and select a new image.
13
Click Next to continue.

If you did not configure the Monitoring Type as SNMP, the Assign Privileges page displays. See Step 14.

If you configured the Monitoring Type as SNMP, the SNMP Realtime Monitor Template Information page displays. Select the Realtime Monitor Template to apply to this device. Then, click Next.
* 
NOTE: Multiple templates can be selected by holding Ctrl + selecting the templates. The Filter search bar allows you to narrow the list of templates. Execute an exact match search by using double quotation marks, for example “template name,” or search with no quotation marks to search through multiple keywords.
 

14
On the Assign Privileges page, select users to have read-write privileges.
* 
NOTE: Multiple users can be selected by holding Ctrl + selecting the users. Permissions can be assigned to both Users and Usertypes.
 

15
Click Finish to acquire the new device.
* 
NOTE: The process of acquiring a new device might take several minutes. To force acquisition of the device, select the device and go to SNMP > SNMP Re-acquire in the NetMonitor menu bar.

* Custom MIBs might be required for some devices. Custom MIBs allow polling Non-SonicWall or Non-Standard based SNMP enabled devices and to poll information specific to a certain device based on Manufacturer ID. These MIBs have to be placed in the etc\mibs folder by the GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for probing.

Adding Other Devices

In addition to SonicWall appliances, GMS can monitor any publicly accessible servers or devices on the Internet.

To add one or more non-SonicWall devices, complete the following steps:
1
From the Net Monitor screen, select Add Non-GMS Device from the File Menu.
 

2
Enter a name for the device in the Name field and its IP address or hostname in the Host field and click Add. Repeat this step for each device to monitor.
 

3
Click Next. The second page of the Add Non-GMS Device Wizard displays.
 

4
Select the category to which the device(s) is added from the Use an Existing Category list box. To add the device to a new category, enter the category name in the Add a New Category field.
5
Select the priority of the device(s) from the Category Priority list box.
6
Select how the SonicWall appliance(s) are monitored from the Monitoring Type list box and specify a Port if applicable.

If choosing SNMP as the monitoring type, you must enter a Monitor Port. Configure the following advanced settings by clicking Advanced.

 

Advanced settings

Community

The community name. (default value is “public”)

Retry

Time to retry, in seconds (default value is “0”).

Timeout

Timeout length, in seconds (default value is “5”).

SNMP Version

Choose the version of SNMP to be used (default value is “V2C”).

MIB(s)*

Select the MIB(s) you wish to use for polling information (RFC1213-MIB is the default MIB and cannot be de-selected).

User Name

Enter a user name (SNMP v3 only).

Authentication Protocol

Select an authentication protocol form the list (SNMP v3 only)

Authentication Password

Enter an authentication password (SNMP v3 only).

Privacy Password

Enter a privacy password (SNMP v3 only).

Context ID

Enter a context ID (SNMP v3 only).

Context Name

Enter a context name (SNMP v3 only)

 

 

* 
NOTE: Use extra caution when specifying the Retry and Timeout values, as the SNMP follows the “Exponential Back Off” algorithm to calculate the retry and timeout values. With this algorithm, the specified Timeout value increases exponentially with the retry value.
7
Press OK to save SNMP advanced settings.
8
Specify how often the SonicWall appliance(s) will be tested in the Polling Interval field.
9
Enter the ideal response time (IRT) in the Ideal Response Time field (default: 500 milliseconds). SonicWall appliances that take between 1 and 1.5 times the IRT is marked as Slow. SonicWall appliances that take between 1.5 and 2 times the IRT is marked as Very Slow.
10
Select the Agent that executes the testing from the Assign to Monitor list box.
11
Optional. To disable monitoring of the SonicWall appliance(s), select Disable.
12
To change the icon image that represents the device(s), click the icon image button and select a new image.
13
Click Next to continue.

If you did not configure the Monitoring Type as SNMP, the Assign Privileges page displays. See Step 14.

If you configured the Monitoring Type as SNMP, the SNMP Realtime Monitor Template Information page displays. Select the Realtime Monitor Template to apply to this device. Then, click Next.
* 
NOTE: Multiple templates can be selected by holding Ctrl + selecting the templates. The Filter search bar allows you to narrow the list of templates. Execute an exact match search by using double quotation marks, for example “template name,” or search with no quotation marks to search through multiple keywords.
 

14
On the Assign Privileges page, select users to have read-write privileges.
* 
NOTE: Multiple users can be selected by holding Ctrl + selecting the users. Permissions can be assigned to both Users and Usertypes.
 

15
Click Finish to acquire the new device.
* 
NOTE: The process of acquiring a new device might take several minutes. To force acquisition of the device, select the device and go to SNMP > SNMP Re-acquire in the NetMonitor menu bar.

 

* 
CAUTION: Custom MIBs might be required for some devices. Custom MIBs allow polling Non-SonicWall or Non-Standard based SNMP enabled devices and to poll information specific to a certain device based on Manufacturer ID. These MIBs have to be placed in the etc\mibs folder by the GMS Administrator on the Web Server and Monitoring Agent machine(s) in order to use it for probing.

Editing a Device

You can edit some of the properties of a specific device by right-clicking the device you want to edit, then click Properties. Multiple devices can be selected by holding Ctrl + selecting the devices.


When editing a single Non-GMS managed device, the Edit Device wizard displays, where you can edit the device Name and Host IP address in their respective fields.

Continue with the device wizard to edit Monitor Information and Realtime Monitor Template Information. Note these are the same setting you originally configured when adding the device.

When editing a GMS Managed device or multiple devices, the Properties screen displays:

The Change check box appears next to each of the fields that have a difference in values for that field among the devices selected. If there are no differences, the field does not appear. After Change is selected, the value for the corresponding field is overwritten on all selected fields.

Note that selecting Disable applies changes to all selected devices.

Click Finish to complete editing the device settings.

* 
NOTE: You can only rename non-GMS devices. GMS devices cannot be renamed as the name is synched with the assigned name from the Tree Control automatically.

Deleting a Device

To delete a device, right click on the device you wish to delete and click Delete Device. A warning displays, confirming the device(s) you have selected to delete. Click Yes to continue.

 
* 
NOTE: Multiple devices can be selected by holding Ctrl + selecting the templates. Make sure to select all devices before right-clicking to delete.

Assigning Permissions

Privileges to a device can now be assigned on a per user or per user group basis. When adding a Net Monitor device, an Assign Permission dialog box displays in the Add Device Wizard, listing all users in the system. Upon adding the device(s), you are also able to select the users and user groups to grant permissions to.

To add or update permissions to an existing device, navigate to Console > Management > Edit Users

Managing Realtime Monitors

When a device is configured for monitoring, the data retrieved form these devices are displayed in the form of a realtime monitor. The following lists several procedures to create and manage realtime monitors:

Creating a Realtime Monitor

The Manage Realtime Monitor Dialog enables you to create custom realtime monitors.

1
From the Net Monitor page, select the device(s) for which you wish to create a realtime monitor.
2
In the menu bar, go to SNMP > SNMP Manage Realtime Monitors.

The SNMP Manage Realtime Monitors page displays.

 
3
Click on the left side of the screen (under Realtime Monitors) to add a new realtime monitor.
4
Add a friendly name for the new monitor in the Monitor Name field.
5
If you wish to save the new monitor as a template for future use, select Save as template. Then, add a friendly name for the template.
6
Choose your display type and chart style as follows:

 

Display/ Chart types

Display Type

Table: Displays data in a tabular format.

Graph: Displays data in a graphical format.

Chart Style
Used only when display type is set to graph.

Area: Generates graph in area format.

Bar: Generates graph in bar format.

Line: Generates graph in line format.

Plot: Generates graph in plot format.

Pie: Generates graph in pie format.

Stacked Area: Generates graph similar to area format, with multiple areas stacked upon each other.

Stacked Bar: Generates graph similar to bar format, with multiple bars stacked upon each other.

7
Navigate to the MIB Tree list and select the OIDs you wish to add.
8
In the Middle of the screen, select your preferences as follows:

 

Available preferences

Add selected OIDs*

Individually: Add OID(s) as individual elements.

As a group: Add multiple similar OIDs as one single element.

Add Type

Add To: Add OID(s) to an existing Element.

Insert At: Add OID(s) as a new element in the specified location.

Append: Append OID(s) to the end of the element list.

* 
NOTE: It is important that the elements present in a Realtime Monitor Template contain OIDs that are present in the devices that the template is applied to. Applying a template which contains un-relevant OIDs can produce unexpected results.
9
Click on the right side of the screen (under MIB Tree) to add the selected MIB(s) to the Elements list.
* 
TIP: Alternate ways of adding a MIB to the Elements list include double-clicking the MIB and dragging and dropping the MIB from the MIB Tree into the Elements list.
10
Enter a friendly name for the element you just added by double-clicking the display name field corresponding to the new element.
11
Specify a threshold value for the alert monitor in the Threshold field corresponding to the new element.
12
Click Apply to save changes and create the realtime monitor.

Managing Templates for Realtime Monitors

A set of Realtime Monitor templates are available for every appliance type the GMS manages, including UMH and Windows. This section allows the user to manage the two types of templates in the system: User-defined and System-Defined. User-defined templates are created from other Realtime Monitors by selecting Save as Template. User-defined templates can be edited or deleted. For user friendliness, system-defined templates are created as Factory Default templates. Unfortunately, these templates are read-only and cannot be edited or deleted.

Users can manage factory templates by completing the procedures that follow:

1
Navigate to the SNMP > SNMP Manage Realtime Monitor Templates screen.
 

2
The list of available Realtime Monitor Templates appears on the left side of the screen. Select the template you want applied to the device.

 
3
Edit the existing name in the Monitor Name field.
4
Choose your display type and chart style as follows:

 

 

Display type/chart style selection

Display Type

Table: Displays data in a tabular format.

Graph: Displays data in a graphical format.

Chart Style
Used only when display type is set to graph.

Area: Generates graph in area format.

Bar: Generates graph in bar format.

Line: Generates graph in line format.

Plot: Generates graph in plot format.

Pie: Generates graph in pie format.

Stacked Area: Generates graph similar to area format, with multiple areas stacked upon each other.

Stacked Bar: Generates graph similar to bar format, with multiple bars stacked upon each other.

5
Navigate to the MIB Tree list and select the OIDs you wish to add.
6
In the Middle of the screen, select your preferences as follows:

Available preferences

Add selected OIDs*

Individually: Add OID(s) as individual elements.

As a group: Add multiple similar OIDs as one single element.

Add Type

Add To: Add OID(s) to an existing Element.

Insert At: Add OID(s) as a new element in the specified location.

Append: Append OID(s) to the end of the element list.

* 
NOTE: It is important that the elements present in a Realtime Monitor Template contain OIDs that are present in the devices that the template is applied to. Applying a template that contains irrelevant OIDs can produce unexpected results.

Creating a Realtime Monitor From a Template

To set up a realtime monitor using one or more templates, complete the following steps:
1
Select the device(s) you wish to create a realtime monitor for.
2
In the menu bar, go to SNMP > SNMP Apply Realtime Monitor Templates.

3
Select the templates (ctrl-click for multiple selections) you wish to use for monitoring the selected device(s).
* 
NOTE: Multiple templates can be selected by holding Ctrl + selecting the templates. The Filter search bar allows you to narrow the list of templates. Do an exact match search by using double quotation marks, for example “template name,” or search with no quotation marks to search through multiple keywords.
 

4
Click Apply to create the Realtime Monitor.

Viewing Realtime SNMP Monitoring Information

GMS NetMonitor allows you to view realtime monitoring data for one or multiple devices simultaneously. Data represented in these charts shows the last hour of activity for the specified node. To view the realtime monitoring information for one or more devices, complete the procedures that follow:

1
Select the device(s) you wish to monitor from the GMS NetMonitor main status screen (Ctrl-click for multiple devices).
2
In the menu bar, select SNMP > SNMP Realtime Monitor Status.
3
In the Realtime Monitors window, select one or more nodes to monitor. The appropriate graphs and or tables are loaded into the monitoring window on the right side of the screen.
* 
NOTE: Data in the monitoring windows is refreshed automatically based on the auto-refresh interval specified in NetMonitor Preferences. While you might do a manual refresh of the graphs and charts, it is not necessary.
 

4
To display historical charts (daily, weekly, monthly) for a node, double-click on the desired realtime graph in the monitoring window on the right side of the screen.

 
* 
NOTE: Only one history chart window might be opened at a time. It is possible, however, to display historical charts for multiple nodes by selecting the charts you wish to view with Ctrl-click, and then clicking at the top right side of the screen.

Managing Severity and Thresholds

Configuring Severity and Thresholds allows you to be notified when the value of a monitored OID exceeds a set level. These levels are set in the Manage Severity dialog and are then used to define your alerts by assigning a level of severity to each threshold, set in the Manage Threshold dialog.

The Severities and Thresholds are now linked to the Granular Events Management (GEM) framework. This allows you to configure severities and thresholds from the Net Monitor tab, or navigate to the Console > Events screen to configure and verify changes there.

This section contains the following subsections:

Managing Severity

To configure your Severity settings:

1
In the menu bar, select Tools > Manage Severity.

 
2
Add a new severity by clicking and entering a name for the severity.
3
Move the new severity to a different priority level by having the severity selected in the list and using and .
4
Change the color of the severity by having the severity selected in the list and clicking .
5
To delete a severity, have the severity selected in the list, and click .
* 
NOTE: A severity cannot be deleted if it is being used by one or more threshold elements. Ensure all corresponding threshold elements are not associated with that severity before attempting to delete. Severities are global settings and is available to use across the system.

Managing Thresholds

Every element in a threshold is assigned an operator, value, and severity. Thresholds are ways of defining conditions that monitor specified object identifier (OID) values. When the defined condition is met, the threshold is triggered, and severity helps to identify the priority of the triggered threshold. To configure your thresholds:

1
In the menu bar, select Tools > Manage Thresholds.

 
2
Click under Threshold and enter a friendly name to add a new threshold.
3
Click under Elements to add a new element to the threshold.
4
Configure the Operator, Value, and Severity fields in the new element as follows:
 

Configuring the Operator, Value, and Severity fields

Operator

Double-click and choose an operator as a modifier for your value. For numeric values, operator options include ==, !=, >, >=, <, =<. For alpha numeric values, operator options include equals, equals ignore case, not equals, contains, not contains.

Value

Double-click and enter an alpha or numeric value. Numeric values are entered in bytes.

Severity

Double-click and choose a severity from the list to correspond with the operator and value.

You might also disable a specific threshold by selecting Disabled. The following threshold triggers a Low-level Warning at a value of less than 100000 bytes.

5
Click Apply to save your changes.
* 
NOTE: Thresholds are global settings and is available to use across the system.

To delete a Threshold, select the threshold and click .

Viewing Threshold Alerts in the Dashboard

The Dashboard View is a screen where an alert about an SNMP Realtime Monitor satisfying user-defined threshold conditions are displayed. When a threshold alert is triggered, information about the device, realtime monitor, and the element that triggered the alert is shown on this screen.

Managing SNMP Scheduled Reports

You can schedule reports from realtime monitors to be sent by email or archived to a location on disk. To create a scheduled report, navigate to the Dashboard> Universal Scheduled Reports screen:

For more information regarding managing SNMP Schedule Reports, refer to Using the Universal Scheduled Reports Application.

Setting E-mail Threshold Alerts

GMS NetMonitor, now at a granular per device level, allows users to configure multiple destinations based on schedules. Alerts for that unit are then sent to the specified destinations based on the specified schedules. Alert settings now supports adding a maximum of five destinations for specified devices.

To set email threshold alerts:

1
Select the device(s) you wish to configure alerts for from the GMS NetMonitor main status screen by clicking (ctrl-click for multiple devices).
2
In the menu bar, select Tools > Alert Settings.

3
Click Add Destination to add a new destination. You are able to add a maximum of five destinations/schedules.
4
Select the destination from the pull-down menu.

 
5
Next, choose the Schedule you want applied to this destination.

 
6
Select whether you want these settings applied to just the Selected Device or All Accessible Devices. Note that selecting the latter option will overwrite any existing settings for the affected devices.

7
Click Apply to complete adding alerts. A warning could display notifying you that the Alert Settings is reset to the newly specified settings. Click Yes to continue.

Accessing the Legend

To see all icon definitions used in the NetMonitor section, navigate to the Help > Legend screen:

Monitoring Devices Behind a SonicWall Appliance

To monitor devices behind a SonicWall appliance, do one of the following:

Create a VPN tunnel to the remote firewall that makes all LAN subnets accessible to the Net Monitor.
Create NAT Policies that allow specific types of traffic through.

For example, if TCP Probe is chosen as the monitor type, TCP connections must be allowed to the specified port. If Ping is chosen as the monitor type, ICMP must be allowed.

Adding Custom Icons to the Net Monitor

The Net Monitor supports custom icons that it displays in the Net Monitor window. The icons must be 16 x 16 pixels and created in the .GIF format. To add new icons to the Net Monitor, copy them to the following directory:

<gms_directory>\Tomcat\webapps\sgms\images\monitor

Real-Time Syslog

The real-time syslog utility enables you to diagnose the system by viewing the syslog messages in real time. This feature should only be used when needed for diagnostic purposes. For an overview of the Real-Time Syslog management interface and configuration procedures, refer to the following:

Using the Real-Time Syslog page

This section details how to use the controls and display settings in the Real-Time Syslog page:

 
* 
NOTE: The Real-Time Syslog Viewer uses java.util.regex to support the search feature. For more information on this enhanced search capability, visit <http://java.sun.com/developer/technialArticles/releases/1.4regex/>

Control Buttons

Click Start in the Control bar to begin real-time syslog reading. It takes 15-30 seconds for entries to display in the list.

The control bar displays Start and Clear to control the flow of alerts on the screen:

Start— Starts syslog forwarding, allowing alerts to display in the list.
Clear— Clears all alerts in the Real-Time Syslog list.

After real-time syslog reading begins, Start is replaced by Pause and Stop.

Pause— This button is helpful if you need to focus on one alert, while keeping the buffer from continuing to fill up with alerts.
Stop— Stops syslog forwarding. Syslog entries stops populating in the list.

If Real-Time Syslog is paused, the control bar displays a Resume button in place of Pause.

Resume— Click when you are ready to resume real-time syslog reading.

Display Settings

The Real-Time Syslog control bar displays Undock, Dock, Full Screen and Pin icons to change the Display options.

Full Screen— Displays the Real-Time Syslog in a full screen mode. Press Escape to return to the Real-Time Syslog management interface.
Pin— Pins or Un-pins the Control bar from the Real-Time Syslog page. If the Control bar is un-pinned, hover the mouse over the top of the page and the Control bar drops down, click the Pin icon to keep it displayed.
Undock— Undocks the Real-Time Syslog from the Monitor > Real-Time Syslog management interface page, giving you the option to view the Real-Time Syslog in a new window.
Dock— Docks the Real-Time Syslog to the Monitor > Real-Time Syslog management interface page.

Scroll Navigation

The right side of the Live Monitoring management interface contains a scroll bar. As alerts are displayed, the most recent appear at the bottom of the buffer in “auto-scroll” mode. Clicking on other scroll bar controls disables auto-scroll, giving command to the user. There is a button next to the scroll bar on the top to Enable/Disable Auto Scrolling. The scroll bar’s up and down “arrow” buttons provide a smooth and fast scroll movement in the display.

Enabling Syslog Forwarding

To enable Syslog Forwarding, complete the following steps:
1
Click the Monitor tab.
2
Expand the Tools tree and click Real-Time Syslog. The Real-Time Syslog page appears.
3
If the Syslog Reader is not already running, click Settings. The Settings Manager pop-up window displays:

4
Click Enable Syslog Forwarding, a message displays describing the affects of enabling syslog forwarding:

5
Read the message, then click OK.
6
Enter the desired syslog forwarding settings in the Settings Manager, then click Update.
7
In the Real-Time Syslog main page, click Start. The Syslog Viewer begins showing the latest syslog entries.

GMS Reports and Corresponding Syslog Categories

 

Report categories

Report Category

Report Title

Syslog Category

Data Usage

Summary

Network Traffic

 

Timeline

Network Traffic

 

Top Initiators

Network Traffic

 

Top Responders

Network Traffic

 

Top Services

Network Traffic

 

Data Usage Details

Network Traffic

Applications

Summary

Network Traffic

 

Data Usage

Network Traffic

 

Top Applications Detected

Network Traffic

 

Top Applications Blocked

Network Traffic

 

Top Categories

Network Traffic

 

Top Initiators

Network Traffic

 

Timeline

Network Traffic

User Activity

User Activity Details

Network Traffic

Web Activity

Summary

Network Traffic

 

Top Categories

Network Traffic

 

Top Sites

Network Traffic

 

Top Initiators

Network Traffic

 

Timeline

Network Traffic

 

Web Activity Details

Network Traffic

Web Filter

Summary

Blocked Websites

 

Top Categories

Blocked Websites

 

Top Sites

Blocked Websites

 

Top Initiators

Blocked Websites

 

Timeline

Blocked Websites over time

 

Web Filter Details

Blocked Websites

VPN Usage

Summary

Network Traffic

 

Top VPN Policies

Network Traffic

 

Top VPN Initiators

Network Traffic

 

Top VPN Services

Network Traffic

 

Timeline

Network Traffic

Intrusions

Detected

Intrusion Prevention

 

Targets

Intrusion Prevention

 

Timeline

Intrusion Prevention

Gateway Viruses

Top Viruses Blocked

Attacks

 

Top Targets

Attacks

 

Top Initiators

Attacks

 

Timeline

Attacks

Spyware

Top Spyware Blocked

Intrusion Prevention

 

Top Targets

Intrusion Prevention

 

Top Initiators

Intrusion Prevention

 

Timeline

Intrusion Prevention

Threats

Summary

Attacks, Intrusion Prevention

Attacks

Targets

Attacks, Intrusion Prevention

 

Top Initiators

Attacks, Intrusion Prevention

 

Timeline

Attacks, Intrusion Prevention

Authentication

User Login

Authenticated Access

 

Admin Login

Authenticated Access

 

Failed Login

Authenticated Access

Analyzers

Log Analyzer

Syslog

Up-Down

Timeline

GMS

Forwarding Syslog Data to Another Syslog Server

To forward GMS syslog data to another syslog server, complete the following steps:
1
Login to the appliance interface of the GMS software.
2
Access the techSupport.html screen by using the URL <http://gms-ip/appliance/techSupport.html> in the browser address bar. The following screen displays. Click Accept.

3
Navigate to the Configuration File Editor section, and click Edit.

4
Enter valid values for syslog.forwardToHost and syslog.forwardToHostPort. Then, click Update.

 
5
Restart the server/appliance.

Live Monitoring

Live Monitoring lets users monitor a network through the correlation of syslogs received from appliances throughout a deployment. The syslogs are received by the Event Manager Receiver Service that then feeds them into an Event Correlation Engine. The engine sends the messages through user-defined rules, and if a rule condition is met, the engine forwards the object to be turned into an alert for Live Monitoring.

These alerts are sent to email, traps, other user-defined destinations, and to the new Live Monitoring user interface, if a user is currently monitoring. Viewing alerts in the Live Monitoring interface provides greater flexibility to monitor a network, and to analyze traffic based on protocols, web usage and productivity, or even to detect viruses and attacks in the network.

Live Monitoring is a powerful tool when rules are created properly, allowing the user to monitor various amounts of information on the unit(s) efficiently. Be aware that while the alerts keep you updated with what is being sent and received, this might bombard your inbox or trap listener with a heavy amount of notifications. This happens only when the rule is lenient; if the rule is strict, there is not a large number of notifications.

This section includes the following subsections:

Using the Rule Manager

This section details the Rule Manager interface and configuration procedures for adding rules, selecting the alert destination and schedule, and modifying the rules status.

Selecting Rule Settings

To add a new rule in the Rule Manager, complete the following steps:
1
In the GMS management interface, go to Monitor > Tools > Live Monitor.

2
Click Manage Rules in the Control bar.

The Rule Manger > Rule List pop-up window displays:

3
To add a new rule, click the Add New Rule icon.

The Rule Manager > Rule Settings page displays:

4
Fill in the Name text-field to utilize a more descriptive name for this new rule.
5
If you wish to build a rule without immediately enabling it, click Disable. Leaving this check box blank sets the rule as enabled in the Rule List, after it is built.

The Severity drop-down menu allows you to set a different severity level tag for each syslog that meets the conditions of this rule.

6
Click the Severity drop-down menu, and then select the desired severity level:
Information
Warning
Critical

7
Created a rule using the available templates. Under the Group heading, you will find the available templates.

Under the Generic rules group, a listing of rule templates display. Clicking on one of these types allows the full rule to display below in the Rule Editor box.
The Computational rules group provides average-based statistical alerts on syslogs received, further broken down by number received for appliances, or the number of syslogs received grouped by appliance.
The Attack rules group offers rules to understand the number of appliances under attack from security threats, and for identifying specific appliances under attack.
The Advanced rules group is a flexible template that allows syslogs to be filtered based on one or two conditions.

For each Rule Type selected the Rule Editor allows you to define conditions for that rule, if available. Keep in mind that the specificity with which these conditions are set controls how many alerts are received in the Live Monitoring user interface.

8
To edit the rule conditions, click on the Rule Editor (pencil) icon.

A series of open fields and drop-down menus are now available, adjusted them to specify the desired conditions, including various parameters, if desired. Rule types allowing you to set one condition, also let you specify the name of the syslog tag you want to see, along with the operator to use in filtering those tags. You gain further granularity control on rule types allowing filtering based on two conditions.

For a list of the current SonicOS Log Events, click the Event Log Reference Guide link.

* 
NOTE: Multiple rules with the same Rule Type are allowed, as long as the values are different in the rule condition(s). Creating different severity tags for the same rule type, with the same conditions, is not possible.
9
If you are done with the Rule Settings configuration, click Finish. If you wish to configure the alert destination and schedule, click Next and refer to Setting Alert Destination and Schedule.

Setting Alert Destination and Schedule

After rule editing is complete, configure the alert destination and schedule:

1
To set the destination and schedule for alerts based on a created rule, click the Add Destination link.

The Destination and Schedule drop-down menus display.:

To open additional destination fields, up to the maximum of five, you might click again on Add Destination.

2
Click the Destination drop-down menu and select a destination:
Email - Admin
Email - Adhoc
Email - User
Trap listener - Adhoc
Trap listener - Registered

The Live Monitoring user interface will not appear as a destination, as it is auto-determined, based on whether the interface is currently running. This means that if at least one user is live monitoring the interface, the engine automatically detects this and continues forwarding alerts. If no one is currently monitoring, no alerts are sent to the Live Monitor interface, but they will continue to be sent to defined destinations, such as email and traps.

* 
CAUTION: If you have Email as a destination, and the condition defined is very lenient, your email could easily be flooded with alerts.
3
Click the Schedule drop-down menu, and then select the frequency this destination receives alerts based on this rule:

Scheduled Groups

24x7
Weekdays 24 Hours
8x5
Weekend

Schedule

Schedule: Admin
Database: Backup
Monday 24 Hours
Monday Business Hours
Tuesday 24 Hours
Tuesday Business Hours
Wednesday 24 Hours
Wednesday Business Hours
Thursday 24 Hours
Thursday Business Hours
Friday 24 Hours
Friday Business Hours
Saturday 24 Hours
Saturday Business Hours
Schedule: (user)
4
After the destination(s) and schedule(s) are set for alerts based on this rule, click Finish.
5
Click OK to close the dialog box and to return to the Rule Manager > Rule List screen. The newly created rule displays in the list:

Modifying Rule Status

From this screen, you can enable (green circle with check), disable (red circle with ‘X’), or delete (blue wastebasket) the selected rules. These icons are in the section header.

To change a rule’s status, select it by clicking on the check box to the left of the rule name, then click the desired status icon from the section header.

For example, if you chose to disable a rule, here is how it would appear with the ‘X’ icon now showing the rule’s current status as disabled.

After you have built and enabled the rules you want the event correlation engine to apply against the syslogs, click Close to return to the Live Monitoring user interface.

Enabling Live Monitoring

This section details how to enable the Live Monitor feature.

1
To enable and configure the desired settings for the Live Monitoring user interface, click Settings in the Live Monitor interface tool bar.

The Settings Manager page displays:

2
Before you can receive alerts in the Live Monitoring user interface, you must click Enable Syslogs Forwarding for Live Monitoring.

A Settings Manager - Message pop-up window displays. This is a reminder to anticipate an increase in syslog traffic, because each message is cloned for event handling.

3
Click OK to proceed.
4
The remaining text-fields allow you to configure various Live Monitoring settings, such as:
Monitor IP Address
Monitor Port (default port is 21011)
Monitor Buffer Size Defines how many alerts need to be stored in the buffer.
Limit on Emails— An email throttling setting that you can adjust to limit the number emails sent every hour for each rule to prevent the flooding of inboxes.
* 
NOTE: Live Monitor settings cannot be changed if Live Monitor instances are running on other client machines.

Using the Live Monitor Management Interface

This section details the action items in the Live Monitor management interface including the control bar, scrolling navigation, and alert event detail.

Control Buttons

Click Start in the Control bar to begin Live Monitoring. It takes 15-30 seconds for entries to display in the list.

After alerts are received, they will begin to appear in the user interface.

The control bar displays Start and Clear buttons to control the flow of alerts on the screen:

Start— Starts the Live Monitor feature, allowing alerts to display in the list.
Clear— Clears all alerts in the LIve Monitor list.
 
* 
NOTE: Although Super Admins are able to view alerts from across all domains of a network, regular users will only see their domain-specific alerts in the Live Monitoring user interface.

After Live Monitoring begins, Start is replaced by Pause and Stop.

Pause— This button is helpful if you need to focus on one alert, while keeping the buffer from continuing to fill up with alerts.
Stop— Stops Live Monitoring from receiving alerts to display. Keep in mind there is a 15-30 second lag before the event engine sees the Live Monitoring user interface is no longer listening.

If alerts are paused, the control bar displays a Resume button in place of Pause.

Resume— Click when you are ready to resume Live Monitoring.

Display Settings

The Live Monitor Control bar displays Undock, Dock, Full Screen and Pin icons to change the Display options.

Full Screen— Displays the LIve Monitor in a full screen mode. Press Escape to return to the Live Monitor management interface.
Pin— Pins or Un-pins the Control bar from the Live Monitor page. If the Control bar is un-pinned, hover the mouse over the top of the page and the Control bar drops down, click the Pin icon to keep it displayed.
Undock— Undocks the Live Monitor from the Monitor > Live Monitor management interface page, giving you the option to view the Live Monitor in a new window.
Dock— Docks the Live Monitor to the Monitor > Live Monitor management interface page.

Scroll Navigation

The right side of the Live Monitoring management interface contains a scroll bar. As alerts are displayed, the most recent appear at the bottom of the buffer in “auto-scroll” mode. Clicking on other scroll bar controls disables auto-scroll, giving command to the user. There is a button next to the scroll bar on the top to Enable/Disable Auto Scrolling. The scroll bar’s up and down “arrow” buttons provide a smooth and fast scroll movement in the display.

Alert Event Detail

Within the Live Monitoring management interface display, you can see greater detail about a particular alert by double-clicking on the alert. This expands the field to show additional information, including the RAW Packet information. To collapse the alert details, double-click on the alert again.

The Live Monitoring user interface can be viewed by multiple users at the same time. However, if no users are actively monitoring, alerts are no longer sent to the interface. Alerts continue to be sent to previously set destinations, such as email and traps.

SonicWall suggests referencing the following documents as essential tools to effectively use the Live Monitoring feature:

SonicWall Knowledge Base articleSetting Up GMS Live Monitor for Alerting