en-US
search-icon

SonicOS 6.2 Admin Guide

Log

Tracking Potential Security Threats

Log > Log Monitor

* 
NOTE: For increased convenience and accessibility, the Log Monitor page can be accessed either from Dashboard > Log Monitor or Log > Log Monitor. The two pages provide identical functionality. For information on using Log Monitor, see Dashboard > Log Monitor.

 

Configuring Log Settings

Log > Settings

This section provides configuration tasks to enable you to categorize and customize the logging functions on your SonicWall security appliance for troubleshooting and diagnostics.

 

The Log > Settings page displays logging data in a series of columns and allows you to configure the logging entries and to reset event counts. You can filter the entries to limit the data display to only those events of interest. You can import and save logging templates.

Topics:  

Table Columns

Topics:  

Category Column

The Category column of the Log Monitor table has three levels:

Category, first and highest level of the tree structure
Group, the second level
Event, the third level

Clicking the small black triangle to the left of the category or group name expands or collapses the category or group contents:

Color Column

The Color column shows the color with which the event is highlighted in Dashboard > Log Monitor. To change the color of the event, click the Edit icon for the event.

ID Column

The ID column shows the ID number of the event. The ID for a particular message is listed in the SonicOS Combined Log Events Reference Guide.

* 
NOTE: The ID number is only displayed on the event level, which can be either second or third level.

Priority Column

* 
CAUTION: Changing the Event Priority may have serious consequences as the Event Priority for all categories will be changed. Modifying the Event Priority affects the Syslog output for the tag “pri=” as well as how the event is treated when performing filtering by priority level. Setting the Event Priority to a level that is lower than the Logging Level causes those events to be filtered out. Also, as GMS ignores received Syslogs that have a level of Debug, heartbeat messages and reporting messages must have a minimum Event Priority of Inform.

The Priority column shows the severity or priority of a category, group, or event. For events, a drop-down menu lists the selectable priorities. For categories and groups, the priorities are listed in the dialog when you click the Configure button at the end of the row.

The available priorities are:

Emergency
Alert
Critical
Error
Warning
Notice
Inform
Debug

Gui Column

The Gui column indicates whether this item is displayed in Dashboard > Log Monitor. Display of categories and groups is shown with a To show or hide indicator. To change the display for:

An event, select or deselect the checkbox in the column.
Categories and groups, click the Edit icon in the column to display the Edit Log Group dialog.

Alert Column

The Alert column shows checkboxes that indicate whether an Alert message is sent for this event, group, or category. Whether the message is sent is shown with a To show or hide indicator. To change whether the Alert message is sent for:

An event, select or deselect the checkbox in the column.
Categories and groups, click the Edit icon in the column to display the Edit Log Group dialog.

Syslog Column

The Syslog column indicates whether the event, group, or category is sent to a Syslog server. Whether the event, group, or category is sent is shown with a To show or hide indicator. To change whether the event, group, or category is sent for:

An event, select or deselect the checkbox in the column.
Categories or groups, click the Edit icon in the column to display the Edit Log Category or Edit Log Group dialog.

Ipfix Column

The Ipfix column indicates whether IPFIX is enabled for log events. Starting with SonicOS 6.2.7, system logs can be sent to an external server via IPFIX packets and then saved into the database on the disk. The logs only include the ones reported without connection cache.

Whether the event, group, or category has IPFIX enabled is shown with a To show or hide indicator. To enable/disable IPFIX for:

An event, select or deselect the checkbox in the column.
Categories or groups, click the Edit icon in the column to display the Edit Log Category or Edit Log Group dialog.

Email Column

The Email column indicates whether the log is emailed to the configured address. For events, these checkboxes are configurable in the column. For categories or groups, Email is configured in the Edit Log Group or Edit Log Category dialogs that appear when you click the Edit button at the end of the row.

Event Count Column

The Event Count column shows the count of events by:

Event level — The number of times that this event has occurred.
Group level — The total events that occurred within the group.
Category level — The total events that occurred within the category.

By hovering your mouse over an event count, a pop-up message displays the count of events dropped for these reasons:

Overflow
GUI Filter
Alert Filter
Syslog Filter
E-mail Filter
Priority
Syslog Event Rate
Syslog Data Rate

Edit and Reset Event Count Icons

The Edit and Reset Event Count icons appear at the end of each row.

Edit Icon

The Edit icon launches the Edit Log Event, Edit Log Group, or Edit Log Category dialog. You can configure all of the attributes for an event, group, or category.

Reset Event Count Icon

The Reset Event Count icon resets the event counter for an event, a group, or a category, and the event counters of higher levels are recalculated. To reset all counters, use the Reset Event Count button above the Log Settings table, as described in Reset Event Count Button.

Log Severity/Priority

This section provides information on configuring the level of priority of log messages that are captured, and the corresponding alert messages that are sent through email for notification.

* 
NOTE: Alert emails are sent when the Send Log to E-mail Address option and the Send Alerts to E-mail Address option are configured on the Log > Automation page.
Topics:  

Setting the Logging Level

The Logging Level allows you to filter events by priority. Events with equal or greater priority are passed. Events with a lower priority are dropped. This enables you to filter out lower-level priorities to prevent them being logged in the system.

On the Log > Settings page, you can set the baseline logging level to be displayed on the Log Monitor page. The following logging levels are available for selection, from highest to lowest:

Emergency
Alert
Critical
Error
Warning
Notice
Inform
Debug
To set the logging level:
1
Go to the Log > Settings page.
2
From the Logging Level drop-down menu, select the logging level you want.

All events with a priority equal to or higher than the selected entry are also logged. For example, if you select Error as the logging level, all messages tagged as Error, as well as all messages with a higher priority such as Critical, Alert, and Emergency, are also displayed. The default value is Debug.

* 
NOTE: To display all events, select Debug as the logging level.

Setting the Alert Level

The Alert Level allows you to filter email alerts by alert level. Events with an equal or greater alert level are sent to the specified email address. Events with a lower alert level are ignored. This enables you to filter out lower-level email alerts to reduce the actual emails transmitted.

On the Log > Settings page, you can set the baseline alert level to be displayed on the Dashboard > Log Monitor page:

Emergency
Alert
Critical
Error
Warning
To set the alert level:
1
Go to the Log > Settings page.
2
From the Alert Level drop-down menu, select the logging level you want.

All events with a higher alert level than the selected entry are also logged. For example, if you select Error as the logging level, all messages tagged as Error, as well as all messages with a higher alert level, such as Critical, Alert, and Emergency, are also displayed. The default value is Alert.

* 
TIP: To display all alert events, select Warning as the alert level.

Configuring Event Attributes Globally

* 
NOTE: For how to configure event attributes selectively, see Configuring Event Attributes Selectively.

Clicking the Configure icon launches the Edit Attributes of All Categories dialog. This dialog enables you to set the attributes for all events in all categories and groups at once.

These global attributes can be modified:

Event Priority
Inclusion of events in Log Monitor, Email, and Syslog
Redundancy filter settings
Email settings
Font color when displayed in Log Monitor
To edit the Category attributes globally:
1
Go to the Log > Settings page.

2
Click the Configure icon. The Edit Attributes of All Categories pop-up dialog appears.

* 
NOTE: The Enable buttons are solid green when all categories, groups, and/or events are enabled, white when all are disabled, and semi-solid when they are mixed (some enabled, some disabled).

As this configuration is for all categories, you have to explicitly set the option to “all enabled” by clicking the icon until it is solid green, or to set the option to “all disabled” by clicking the icon until it is white. To configure a single event to be different from the rest of its group or category, you must go into the individual event setting configuration. If you do this, the icon is semi-solid.

When the fields say Multiple Values, different values have been specified for one or more category, group, or event. To view the individual settings, refer to Configuring Event Attributes Selectively. To change the setting from Multiple Values into one value for all categories, groups, or events while in the Edit Attributes of All Categories dialog, verify that the option was enabled so the field can be accessed for entering the new value. If the option is disabled, the field is dimmed and inaccessible.

3
From the Event Priority drop-down menu, select the priority that you want.
* 
CAUTION: Changing the Event Priority may have serious consequences as the Event Priority for all categories will be changed. Modifying the Event Priority will affect the Syslog output for the tag “pri=” as well as how the event will be treated when performing filtering by priority level. Setting the Event Priority to a level that is lower than the Logging Level will cause those events to be filtered out. Also, as GMS ignores received Syslogs that have a level of Debug, heartbeat messages and reporting messages must have a minimum Event Priority of Inform.
* 
TIP: The following Redundancy Filter Interval fields enable you to enter time intervals (in seconds) to avoid duplication of a log message within an interval. The range for these intervals is 0 to 86400 seconds. For Syslog messages, the default interval is set to 90 seconds. For alert messages, the default interval is set to 900 seconds.
* 
TIP: The different options are independent of each other, and you can enable any combination of them and set different frequencies of generation for them. For example, you may want an event message emailed to you, but it not shown in the Dashboard > Log Monitor page.

When GMS is enabled, however, care must be taken when modifying event attributes so events used to generate reports are not incorrectly filtered out. User-initiated modifications (implicit changes) of category- and group-level events that may affect factory-defined events, such as those required by GMS, are ignored. Modifications to specific events (explicit changes), however, may override this built-in protection of GMS-required events.

4
If you want to display the log events in the Log Monitor, select the Enable icon for the Display Events in Log Monitor option.
a
In the Display Events in Log Monitor Redundancy Filter Interval field, enter the number of seconds that should elapse before allowing the same event to be logged and displayed by the Log Monitor again when that event occurs one after the other. The range is 0 to 86400.

For example, if you set this value to 60 seconds, then when the event Connection Closed first happens at 1:15 p.m., the next Connection Closed event is not logged until 60 seconds after the first one. Any Connection Closed event occurring within the 60-second interval is dropped.

5
If you want to send events as email alerts, select the Enable icon for the Send Events as E-mail Alerts option.
a
In the Send Events as Email Alerts Redundancy Filter Interval field, enter the number of seconds that should elapse before allowing the same email event to be sent when that email alert occurs one after the other. The range is 0 to 86400.

For example, if you set this value to 60 seconds, then when an email alert first happens at 1:15 p.m., the next email alert is not sent until 60 seconds after the first one. Any email alert occurring within the 60-second interval is dropped.

6
If you want to report events via Syslog, select the Enable icon for the Report Events via Syslog option.
a
In the Report Events via Syslog Redundancy Filter Interval field, enter the number of seconds that should elapse before allowing the same Syslog messages to be sent when that event occurs one after the other. The range is 0 to 86400.

For example, if you set this value to 60 seconds, then when a Syslog message first happens at 1:15 p.m., the next Syslog message is not sent until 60 seconds after the first one. Any Syslog message occurring within the 60-second interval is dropped.

7
To send the Syslogs to a particular Syslog server group, enter the group’s ID in the Use this Syslog Server Profile field. The default is 0. For information about Syslog Server (Event) profiles, see About Event Profiles and Syslog Servers.
8
If you want to report events via IPFIX, select the Enable icon for the Report Events via IPFIX option.
a
In the Report Events via IPFIX Redundancy Filter Interval field, enter the number of seconds that should elapse before allowing the same messages to be sent via IPFIX when events occur one after the other. The range is 0 to 86400.

For example, if you set this value to 60 seconds, then when a message sent via IPFIX first happens at 1:15 p.m., the next message is not sent until 60 seconds after the first one. Any message occurring within the 60-second interval is dropped.

9
If you want to send the global event log via email, select the Enable icon for the Include Events in Log Digest option.
* 
NOTE: If this option is enabled, it is important to verify the email address configured in the Send Log Digest to Email Address field is correct.
10
If you enabled Include Events in Log Digest, do one of the following for Send Log Digest to Email Address:
If you want to use the same email address that is entered in the Log > Automation page even when you change other values in this dialog, select the Leave Unchanged checkbox. This option is enabled by default.
To change the email address, uncheck the Leave Unchanged option and enter a new address in the now-active field.
* 
TIP: An email alert is one email sent for each event occurrence as soon as that event has occurred. A Log Digest, on the other hand, is a chronological collation of events sent as a single email in digest format. Because it is a summation of events, the event information time period is a mix of older and newer events.
11
If you want to receive alerts via email based on the global settings in this dialog, do one of the following for Send Alerts to E-mail Address:
If you want to use the same email address that is entered in the Log > Automation page even when you change other values in this dialog, select the Leave Unchanged checkbox. This option is enabled by default.
To change the email address, uncheck the Leave Unchanged option and enter a new address in the now-active field.
12
If you want to use a specific color for the global events log, uncheck the Leave Unchanged option, which is the default setting. The color selection matrix appears.

13
Select the color you want. The Show Events using Color square becomes the chosen color.

14
Click Apply.

Configuring Event Attributes Selectively

* 
NOTE: For how to configure event attributes globally, see Configuring Event Attributes Globally.

On the Log > Settings page, the columns show the main event attributes that can be configured on different levels: category, group, or each event.

* 
NOTE: The Edit Log pop-up dialogs may look slightly similar, but the effect of each varies in scope. The:
Edit Log Category dialog modifies settings for all groups that belong to the same category and, consequently, all events in that category.
Edit Log Group dialog modifies setting for all events that belong to that group and, consequently, all events in that group.
Edit Log Event dialog modifies settings for one specific event.
* 
NOTE: The Enable buttons for the columns are green when all are enabled, white when all are disabled, and semi-solid when they are mixed (some enabled, some disabled).

As this configuration is for all categories, you have to explicitly set the option to “all enabled” by clicking the icon until it is solid green, or to set the option to “all disabled” by clicking the icon until it is white. To configure a single category, group, or event to be different, you must go into the individual dialog or event setting. If you do this, the icon is semi-solid.

You can enable or disable a column. In the rows for categories and groups, the enable indicators are grey ( enabled, disabled, and mixed) and cannot be changed except through the Edit Log Category or Edit Log Group dialogs.

The rows for events contain checkboxes for enabling () or disabling () the event instead of indicators.

Topics:  
Configuring Event Attributes by Category

Any changes done at the category level apply to all groups and all events within the selected category.

To set the Event Attributes by category level:
1
In Log > Settings, select a specific category.
2
Click the Configure icon to launch the Edit Log Category dialog.

3
Configuring Event Attributes by Group

Setting the Event Attributes by group level allows the modification of settings on a smaller scale within a selected category. Any changes done to the group apply to all events that belong only to the selected group.

To set the Event Attributes by group level:
1
In Log > Settings, select a specific category.
2
Select a specific group within the category.
3
Click the group’s Configure icon to launch the Edit Log Group dialog.

4
Configuring Event Attributes by Event

The most granular level, the event level, allows the Event Attributes columns to be directly modified by expanding the selected category into groups, then expanding the selected group into individual events within that group. Any changes done to the event apply to just that event within the selected group.

To set the Event Attributes by event level:
1
In Log > Settings, select a specific category.
2
Select a specific group within the category.
3
Select a specific event within the group.
4
Click the event’s Configure icon to launch the Edit Log Event dialog.

5

Top Row Buttons

Topics:  

Save Logging Template Button

The Save Logging Template button displays the Save to Custom Template pop-up dialog so you can export the current configured Log Settings to the Custom template. The dialog also lets you enter a description for the Custom template.

Only the Custom template can be modified and saved, and there is only one custom template. Each time the custom template is saved, the old custom template is overwritten.

Import Logging Template

The Import Logging Template button displays the Import from Log Category Template dialog, which allows you to select and import one of these templates:

* 
NOTE: The Default, Minimal, and Analyzer/Viewpoint/GMS templates are defined at the factory.
Default Template

The Default template restores all log event settings to the SonicWall default values. for each of these log fields:

Even Priority
Display Events in Log Monitor
Send Events as E-mail Alerts
Report Events via Syslog
Include Events in Log Digest
Redundancy Filter Interval
Send Log Digest to E-mail Address
Send Alerts E-mail Address
Show Events using Color
Minimal Template

The Minimal template keeps the generated logs at a minimum level, while still providing sufficient information about the most important events on the firewall. The minimal template modifies the capture filters to allow only high-priority events to be logged. Most non-critical events are filtered out. The capture filters are modified for these fields: GUI, Alert, Syslog, and Email.

* 
NOTE: Only the capture filters are modified; the redundancy filter intervals are left as is.
Analyzer/Viewpoint/GMS Template

The Analyzer/Viewpoint/GMS template is factory configured to ensure that the firewall works well with Reporting Software server settings (Analyzer, Viewpoint, and/or GMS server). All related events are configured to meet the server requirements.

All configurations are limited to the Report Events via Syslog option and its associated Redundancy Filter Interval. Events critical to the reporting function of Analyzer, Viewpoint, and GMS will have these fields set to the recommended factory-default values:

Report Events via Syslog
Redundancy Filter Interval for Syslog

Reset Event Count Button

The Reset Event Count button sets all the event counters to zero (0).

Cancel Button

The Cancel button cancels whatever changes you made and leaves the settings unchanged.

Apply Button

The Apply button applies any changes done in Log > Settings page.

Viewing the Log

After you have configured logging for your appliance, you can display the Dashboard > Log Monitor quickly by clicking the Link icon in the top row.

Filtering Logs

You can apply, create, and delete custom filters to customize the information you wish to log and view on the Dashboard > Log Monitor or Log > Log Monitor page. You can create simple or complex filters, depending on the criteria you specify. By doing so, you can focus on points of interest without distraction from other applications, users, or other traffic data.

You can create filters in these ways:

Clicking on the Link button on the Log > Settings page to display the Dashboard > Log Monitor page and following the procedures described in Filtering the Log Monitor Table.
Using the Filter View button on the Log > Settings page to create a filter at the category, group, or event level.

Using the Filter View Button

Topics:  
Adding a Filter
* 
NOTE: The filter is valid only while the Log > Settings page is displayed. Displaying another page or logging out deletes the filter.
To create a filter using Filter View:
1
At the top of the Log > Settings page, click the Filter Add button next to the Filter View button. The Category Filter Statement pop-up dialog displays.

2
Enter the filter. For example, priority=warning;id=1221,1222,1149. You can enter multiple keys separated by a semicolon (;) and for each key, multiple values separated by a comma. A key can be a name (from the Category), priority (from Priority), or ID (from the ID column). Keys are case insensitive.
* 
NOTE: Only one filter is valid at a time. If you add another filter, it replaces the existing one.
3
Click Apply. The display is changed to reflect the filtered data and a new button, [Category Filter], appears next to the Filter View button:

Viewing a Filter

For a quick look at the filter, click on the [Category Filter] button. A small, pop-up window displays the filter under the button.

* 
NOTE: To close the pop-up, click the triangle or [Category Filter] on the [Category Filter] button. Do not click the X in the upper right corner of the pop-up as doing so deletes the filter.
Deleting a Filter

To delete a filter, click on the X in the Delete Box button in the Filter View button, the [Category Filter] button, or the pop-up dialog. Displaying another page or logging out also deletes the filter.

Configuring Syslog Settings

Log > Syslog

In addition to displaying event messages in the GUI, the SonicWall security appliance can send the same messages to an external, user-configured Syslog Server for viewing. The Syslog message format can be selected in Syslog Settings and the destination Syslog Servers can be specified in the Syslog Servers table.

SonicWall Syslog captures all log activity and includes every connection source and destination name and/or IP address, IP service, and number of bytes transferred. SonicWall Syslog support requires an external server running a Syslog daemon; the UDP Port is configurable.

SonicWall has fully compatible Syslog viewers, such as GMS and Analyzer, which can generate useful reports based on received Syslog messages. When GMS or Analyzer has been enabled, the destination hosts are automatically added as one of the Syslog Servers. Other Syslog Servers may be added as needed, however. For more information about adding Syslog Servers, see About Event Profiles.

* 
NOTE: See RCF 3164 - The BSD Syslog Protocol for more information.
* 
NOTE: Syslog output may be affected by changes to Event Priority for event, group, or global categories made on the Log > Settings page. For more information, see Configuring Event Attributes Globally.
* 
NOTE: SonicWall Syslog support requires an external server running a Syslog daemon on a UDP Port. The default port is UDP Port 514, but you can choose a different port.

To display the Dashboard > Log Monitor page, click the Show Log Monitor icon in the upper right corner of the page.

Packet data can be sent to Syslog Servers. For how to configure this option, contact SonicWall Support.

Topics:  

About Event Profiles

* 
NOTE: Event Profiling is supported by all firewalls running SonicOS 6.2.7 and above except the SM 9800.

By configuring events globally for all Syslog Servers, the events generated from all the modules in the system are reported to all the configured Syslog Servers. This generates huge amounts of Syslog traffic, which may cause issues, such as reduced performance and packet loss. Syslog Server profiling, known as Event Profiling, allows more granular control by configuring events by Syslog server instead of globally. Also, there can be multiple groups of Syslog servers, with different events reported to different groups of servers. You can specify up to 24 Event Profiles, with up to 7 Syslog Servers configured for each Event Profile, for a maximum of 168 Syslog Servers per firewall.

* 
IMPORTANT: A GMS server used for Syslog must belong to the Profile 0 group. Only Profile 0 group, therefore, can have up to 8 servers total (7 Syslog Servers and 1 GMS server).

The Event Profile is used, along with the Server Name and Port, to uniquely identify a Syslog Server in the Syslog Server table. This allows multiple rows to have same Name, Port combination with different Profiles. Thus, a Syslog Server can be a member of more than one Event Profile group.

About Syslog Server Profiling

This feature provides the ability to configure the settings for each Syslog server independently instead of using the global settings for all the servers. In previous releases, the events generated from all the modules in the system were reported to all the configured Syslog servers. Depending on the deployment, this generates a huge amount of Syslog traffic and can cause performance issues or even packet loss.

With Syslog Server Profiling, the following new functionality is available:

Syslog messages can be sent using different settings for different Syslog servers
There can be multiple groups of Syslog servers
Different events can be configured to be reported to different groups of Syslog servers

All the settings in the Log > Syslog page except the Enable NDPP Enforcement for Syslog Server checkbox can be configured independently for each row in the Syslog Servers table. This allows Syslog messages to be rendered with different settings for different servers, and each server can have its own Rate Limiting options.

Use the Enable checkbox to enable or disable sending of Syslog messages to a specific Syslog server. The settings for Enhanced Syslog and ArcSight format can also be configured individually.

All these settings can be configured from the SonicOS web interface and from the command line interface (CLI.) For convenience, the global settings can be used to configure all servers.

* 
NOTE: The Override Syslog Settings with Reporting Software Settings option has been removed. As the Syslog servers have their own independent settings, this option is no longer needed.

Using a GMS Server for Syslog

GMS can be enabled or disabled only on the System > Administration page (for enabling and configuring GMS, see Advanced Management).

When using a GMS server for Syslog, the following restrictions apply:

The Event Profile must be 0.
The Syslog Facility must be Local Use 0.
The Syslog Format must be Default.
The Syslog ID must be firewall.

When firewall is managed using GMS, only the global settings can be configured from GMS. So, if a global setting is changed, it affects all the servers. The settings for an individual server cannot be configured. as GMS 8.1 does not support those tags. When adding a new Syslog Server, therefore, only the hostname and port can be configured; all other fields contain default values.

When GMS is enabled, the GMS server is added to the Event Profile 0 group in the Syslog Servers table. It cannot be added to any other Profile groups. Therefore, only the Profile 0 group can have 8 servers in total (7 Syslog servers and 1 GMS server). All other groups can have only 7 servers. The events in the GMS group in the Log > Settings page have Profile 0 and cannot be changed. Other events can have a different Profile.

Syslog Settings

The Log > Syslog page enables you to configure the various settings you want when you send the log to a Syslog server. You can choose the Syslog facility and the Syslog format.

* 
NOTE: If you are using SonicWall’s Global Management System (GMS) to manage your firewall, the Syslog Format is fixed to Default and the Syslog ID is fixed to firewall. Thus, these fields are greyed-out and can't be modified. All other fields, however, can still be customized as needed.

Configuring Syslog Settings

To configure Syslog settings on your firewall:
1
Go to the Log > Syslog page.

2
In the Syslog ID field, enter the Syslog ID. The default is firewall.

A Syslog ID field is included in all generated Syslog messages, prefixed by id=. Thus, for the default value, firewall, all Syslog messages include id=firewall. The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.

3
The Syslog Facility may be left as the factory default. Optionally, however, from the Syslog Facility drop-down menu, select the Syslog Facility appropriate to your network:
 

Syslog Facility

Kernel

UUCP Subsystem

Local Use 0 1

User-Level Messages

Clock Daemon (BSP Linux)

Local Use 1

Mail System

AUTHPRV Security/Authorization Messages

Local Use 2

System Daemons

FTP Daemon

Local Use 3

Security/Authorization Messages

NTP Subsystem

Local Use 4

Messages Generated Internally by syslogd

Log Audit

Local Use 5

Line Printer Subsystem

Log Alert

Local Use 6

Network News Subsystem

Clock Daemon (Solaris)

Local Use 7


1
Default

4
From the Syslog Format drop-down menu, select the Syslog format:
 

Syslog formats

Default

Default SonicWall Syslog format.

NOTE: This format is required for GMS or Reporting software.

WebTrends

WebTrends Syslog format. You must have WebTrends software installed on your system.

Enhanced Syslog

Enhanced SonicWall Syslog format.

ArcSight

ArcSight Syslog format. The Syslog server must be configured with the ArcSight Logger application to decode the ArcSight messages.

5
If you selected:
Default or WebTrends, go to Step 13.
Enhanced Syslog, go to Step 6.
ArcSight, go to Step 10.
6
(Optional) If you selected Enhanced Syslog, click the Enhanced Syslog Fields Settings Configure icon. The Enhanced Syslog Settings pop-up dialog displays.

7
(Optional) Select the Enhanced Syslog options to log. By default, all options are selected; the Host (sn) and Event ID (m) options are dimmed as they cannot be changed. To:
Select all options, click Select All.
Deselect all options, click Clear All.
Select only some options, either:
Click Clear All, then select only those options to log.
Deselect only those options to not log.
8
Click Save.
9
Go to Step 13.
10
Optionally, if you selected ArcSight, click the ARCSight CEF Fields Settings Configure icon. ArcSight CEF Fields Settings pop-up dialog displays.

11
Optionally, select the ArcSight options to log. By default, all options are selected; the Host and Event ID options are dimmed as they cannot be changed. To:
Select all options, click Select All.
Deselect all options, click Clear All.
Select only some options, either:
Click Clear All, then select only those options to log.
Deselect only those options to not log.
12
Click Save.
13
Optionally, specify the maximum number of events in the Maximum Events Per Second field; the minimum number is 0 per second, the maximum is 1000 per second, and the default is 1000. This option limits events logged to prevent the internal or external logging mechanism from being overwhelmed by log events.
* 
NOTE: Event rate limiting is applied regardless of Log Priority of individual events.
14
Optionally, specify the maximum number of bytes in the Maximum Bytes Per Second field; the minimum is number is 0 bytes per second, the maximum is 1000000000 bytes per second, and the default is 10000000. This control limits data logged to prevent the internal or external logging mechanism from being overwhelmed by log events.
* 
NOTE: Data rate limiting is applied regardless of Log Priority of individual events.
15
Optionally, select the Enable NDPP Enforcement for Syslog Server.
16
Click Accept.

Syslog Servers

 

Event Profile

Profile configured for the Syslog Server.

Server Name

IP address and name of the Syslog Server.

Server Port

Port of the Syslog Server.

Server Facility

Server Facility of the Syslog Server; for a list of Server Facilities, see Syslog Facility.

Server Format

Format expected by the Syslog Server:

Default (default)
WebTrends
Enhanced Syslog
ArcSight

Server ID

ID configured for the Syslog Server; default is firewall.

Enable

Indicates whether the Syslog Server is enabled and allows you to enable or disable the sending of Syslog messages to a specific Syslog Server.

Configure

Contains the Edit and Delete icons for a Syslog Server. As a GMS server cannot be deleted or configured through the Log > Syslog page, these two icons are dimmed.

Global settings affect all servers. For example, a change in a global format changes the format of all the servers to the selected value.

Adding a Syslog Server

To add a Syslog server to the firewall.
1
Go to the Log > Syslog page.
2
Go to the Syslog Servers section.

3
Click Add. The Add Syslog Server dialog appears.

4
Specify the Event Profile for this server in the Event Profile field. The minimum value is 0 (1 group), the maximum is 23 (24 groups), and the default is 0. Each group can have a maximum of 7 Syslog servers.
* 
NOTE: For GMS, the Event Profile must be 0.
5
Select the Syslog server name or IP address from the Name or IP Address drop-down menu. Messages from the firewall are then sent to the servers.
6
If your Syslog server does not use default port 514, type the port number in the Port Number field.
7
Select the Syslog format from the Syslog Format drop-down menu. The default is Default; for all the options, see Syslog formats.
* 
NOTE: For GMS, the Syslog format must be Default.
8
Select the Syslog Facility from the Syslog Format drop-down menu. The default is Local Use 0; for all the Syslog Facilities, see Syslog Facility.
* 
NOTE: For GMS, the Syslog format must be Local Use 0.
9
Optionally, to limit events logged and thus prevent the internal or external logging mechanism from being overwhelmed by log events, select the Enable Event Rate Limiting checkbox.
* 
NOTE: Event rate limiting is applied regardless of Log Priority of individual events.
a
Specify the maximum number of events in the Maximum Events Per Second field; the minimum number is 0, the maximum is 1000, and the default is 1000 per second. This option .
10
Optionally, to limit events logged and thus prevent the internal or external logging mechanism from being overwhelmed by log events, select the Enable Data Rate Limiting checkbox.
* 
NOTE: Data rate limiting is applied regardless of Log Priority of individual events.
a
Specify the maximum number of bytes in the Maximum Bytes Per Second field; the minimum is number is 0, the maximum is 1000000000, and the default is 10000000 bytes per second. This control limits data logged to prevent the internal or external logging mechanism from being overwhelmed by log events.
11
To bind to a VPN tunnel and create a network monitor policy in NDPP mode:
a
Optionally, choose an interface from the Local Interface drop-down menu.
b
Optionally, choose an Interface from the Outbound Interface drop down menu.
12
Click OK.

Editing a Syslog Server

To edit a Syslog Server:
1
Click the Edit icon in the Configure column. The Edit Syslog Server dialog displays.

2
Follow the appropriate Step 4 through Step 12 in Adding a Syslog Server.

Enabling Syslog Servers

* 
IMPORTANT: You can enable a GMS Syslog Server only on the System > Administration page; see Advanced Management.
To enable a single Syslog Server:
1
Select the checkbox in the Enable column.
To enable all Syslog Servers:
1
Click the Enable All button.

Disabling Syslog Servers

* 
IMPORTANT: You can disable a GMS Syslog Server only on the System > Administration page; see Advanced Management.
To disable a single Syslog Server:
1
Deselect the checkbox in the Enable column.
To disable all Syslog Servers:
1
Click the Disable All button.

Deleting Syslog Servers

* 
IMPORTANT: You can delete a GMS Syslog Server only on the System > Administration page; see Advanced Management.
To delete a single Syslog Server:
1
Select the Delete icon in the Configure column.
To delete all Syslog Servers:
1
Click the Disable All button.

 

Configuring Log Automation

Log > Automation

The Log > Automation page includes settings for configuring the SonicWall to send log files using Email and configuring mail server settings.

Topics:  

Email Log Automation

Send Log to Email address - To receive the event log via email, enter your email address (username@mydomain.com). Once sent, the log is cleared from the SonicWall memory. If this field is left blank, the log is not emailed.
Send Alerts to Email address - To be emailed immediately when attacks or system errors occur, enter your email address (username@mydomain.com) as a standard email address or an email paging service. If this field is left blank, email alert messages are not sent.
Send User Creation and Enablement Notification to E-mail Address – To be emailed immediately when a user has been created and enabled, enter your email address (username@mydomain.com). If this field is left blank, email notifications are not sent.
Send Log - Determines the frequency of sending log files. The options in the drop-down menu are
When Full (default)
Weekly—Select the day of the week the log is sent in the every drop-down menu and enter the time of day in 24-hour format in the At field
Daily.—Enter the time of day the log is to be sent in 24-hour format in the At field.
Email Format - Select whether log emails will be sent in Plain Text or HTML format from the drop-down menu.
Include All Log Information - Select to have all information included in the log report.

Health Check E-mail Notification

The Health Check E-mail Notification section enables you to create a predefined email notification with a set subject and body at the times specified by the selected schedule.

To set up a Health Check E-mail Notification:
1
From the E-mail Schedule drop-down menu, select a pre-defined schedule, Create a new schedule, or Disabled.
2
In the Send to E-mail Address field, enter the email address of the recipient(s) to notify.
3
In the E-mail Subject field, enter the subject of the email.
4
In the E-mail Body field, enter the body of email.

Mail Server Settings

The mail server settings allow you to specify the name or IP address of your mail server, the from Email address, and authentication method.

Mail Server (name or IP address) - Enter the IP address or FQDN of the email server used to send your log emails in this field.
* 
NOTE: If the Mail Server (name or IP address) is left blank, log and alert messages are not emailed.
Advanced - The Advanced button displays the Log Mail Address Setting dialog.

Smtp port - Enter the SMTP port used for email. The default port number is 25.
Connection Security Method - Select a security method for the email from the drop-down menu:
None (default)
SSL/TLS
STARTTLS
Enable SMTP Authentication - Select to enable SMTP authentication for the emails, then enter the following. This option is disabled by default.
Username
Password
From Email Address - Enter the Email address you want to display in the From field of the message.
Authentication Method - You can use the default None or select POP Before SMTP.

Solera Capture Stack

Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time-sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.

To configure your firewall with Solera:
1
Select the Enable Solera Capture Stack Integration option. The options in this section become available.
2
Select the host for the Solera server from the Server drop-down menu. You can dynamically create the host by selecting Create New Host….
3
From the Protocol drop-down menu, select either HTTP or HTTPS. The default is HTTPS.
4
In the Port field, enter the port number for connecting to the Solera server. The default port is 443.
5
In the DeepSee Base URL field, define the format for the base URL for the DeepSee path. The format can include special tokens; in the actual URL, the special tokens are replaced with the actual values. A default format is given.

The following tokens can be used in the DeepSee Base URL and PCAP Base URL fields:

$host - server name or IP address that has the data
$port - HTTP/HTTPS port number where the server is listening
$usr - user name for authentication
$pwd - password for authentication
$start - start date and time
$stop - stop date and time
$ipproto - IP protocol
$scrip - source IP address
$dstip - destination IP address
$srcport - source port
$dstport - destination port
6
In the PCAP Base URL field, define the format for the base URL for the PCAP path. The format can include special tokens; in the actual URL, the special tokens are replaced with the actual values. For these tokens and their definitions, see Step 5. A default format is given.
7
In the Base64-encoded Link Icon field, define the Base 64-encoded GIF image to be used as desktop shortcut to the Solera server. Ensure the icon is valid and the size is as small as possible. A default icon is given.
8
From the Address to link from E-mail Alerts drop-down menu, select either Default LAN (default) or Default WAN.

 

Configuring Name Resolution

Log > Name Resolution

* 
TIP: The Log > Name Resolution page includes settings for configuring the name servers used to resolve IP addresses and server names in the log reports.

The SonicWall network security appliance uses a DNS server or NetBIOS to resolve all IP addresses in log reports into server names. It stores the names/address pairs in a cache, to assist with future lookups. You can clear the cache by clicking Reset Name Cache in the top of the Log > Name Resolution page.

Topics:  

Selecting Name Resolution Settings

The firewall appliance can use DNS, NetBIOS, or both to resolve IP addresses and server names.

In the Name Resolution Method list, select:

None: The security appliance will not attempt to resolve IP addresses and Names in the log reports.
DNS: The security appliance will use the DNS server you specify to resolve addresses and names.
NetBIOS: The security appliance will use NetBIOS to resolve addresses and names. If you select NetBIOS, no further configuration is necessary.
DNS then NetBIOS: The security appliance will first use the DNS server you specify to resolve addresses and names. If it cannot resolve the name, it will try again with NetBIOS.

Specifying the DNS Server

You can choose to specify DNS servers, or to use the same servers as the WAN zone.

1
Select Specify DNS Servers Manually or Inherit DNS Settings Dynamically from WAN Zone. The second choice is selected by default.
2
If you selected to specify a DNS server, enter the IP address for at least one DNS server on your network. You can enter up to three servers.
3
Click Accept in the top left corner of the Log > Name Resolution page to make your changes take effect.

Generating Log Reports

* 
NOTE: The Log > Reports page does not apply to the SuperMassive 9800.

Log > Reports

The firewall can perform a rolling analysis of the event log to show the top 25 most frequently accessed Web sites, the top 25 users of bandwidth by IP address, and the top 25 services consuming the most bandwidth. You can generate these reports from the Log > Reports page.

* 
NOTE: SonicWall Analyzer provides a comprehensive Web-based reporting solution for firewalls. For more information on SonicWall Analyzer, go to http://www.sonicwall.com.
Topics:  

Data Collection

The Log > Reports page includes these functions and commands:

Data Collection section

Click Start Data Collection to begin log analysis. When log analysis is enabled, the button label changes to Stop Data Collection.

View Data Section

Click Reset Data to clear the report statistics and begin a new sample period. The sample period is also reset when data collection is stopped or started, and when the firewall is restarted.

View Data

Select the desired report from the Report View menu. The options are Web Site Hits, Bandwidth Usage by IP Address, and Bandwidth Usage by Service. These reports are explained below. Click Refresh Data to update the report. The length of time analyzed by the report is displayed in the Current Sample Period.

Topics:  

Web Site Hits

Selecting Web Site Hits from the Report View menu displays a table showing the URLs for the 25 most frequently accessed Web sites and the number of hits to a site during the current sample period.

The Web Site Hits report ensures that the majority of Web access is to appropriate Web sites. If leisure, sports, or other inappropriate sites appear in the Web Site Hits Report, you can choose to block the sites. For information on blocking inappropriate Web sites, see Security Services > Content Filter.

Click on the name of a Web site to open that site in a new window.

Bandwidth Usage by IP Address

Selecting Bandwidth Usage by IP Address from the Report View menu displays a table showing the IP address of the 25 top users of Internet bandwidth and the number of megabytes transmitted during the current sample period.

Bandwidth Usage by Service

Selecting Bandwidth Usage by Service from the Report View menu displays a table showing the name of the 25 top Internet services, such as HTTP, FTP, RealAudio, etc., and the number of megabytes received from the service during the current sample period.

The Bandwidth Usage by Service report shows whether the services being used are appropriate for your organization. If services such as video or push broadcasts are consuming a large portion of the available bandwidth, you can choose to block these services.

Configuring the Log Analyzer

Log > Log Analyzer

The Log > Log Analyzer page enables you to add the IP address and port number of your Analyzer server.

To add an analyzer server connection to your firewall:
1
Go to the Log > Log Analyzer page.
2
Click the Add button. The Add Syslog Server dialog appears.

3
From the Name or IP Address drop-down menu, select the item that you want, or select Create New Address Object.
4
In the Port field, enter the port number for the analyzer.
5
(Optional) To connect to your analyzer through a VPN tunnel, under Bind to VPN Tunnel and Create Network Monitor Policy in NDPP Mode:
1)
In the Local Interface drop-down menu, choose Select an interface.
2)
In the Outbound Interface drop-down menu, choose Select a tunnel interface.
6
Click OK.
* 
NOTE: For information about configuring and managing your Analyzer, refer to the Analyzer User's Guide.