SonicOS 8: Encrypted Syslog FAQ
Description
Why would I need encrypted syslog if my SIEM is on the internal network?
Even on internal networks, syslog traffic in plaintext poses a risk. Firewall logs contain security-relevant information including policy hits, user authentication events, and threat detections. If an attacker gains a foothold on the internal network, plaintext syslog traffic can be intercepted and analyzed to understand security policy, identify gaps, or time attacks to avoid detection windows. Encrypted syslog over Transport Layer Security (TLS) eliminates this exposure. SIEM stands for Security Information and Event Management. Encrypted syslog is increasingly required by compliance frameworks such as PCI-DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and ISO 27001, regardless of network segment.
What TLS version does SonicOS 8 use for syslog encryption?
SonicOS 8 supports both TLS 1.2 and TLS 1.3 for encrypted syslog transport, conforming to RFC 5425 (TLS Transport Mapping for Syslog). TLS 1.3 is preferred for new deployments as it provides stronger security and lower handshake overhead. TLS 1.2 is supported for compatibility with SIEM platforms and log collectors that have not yet been updated to support TLS 1.3.
What does the ‘Ignore TLS Certificate Error’ option do in the syslog server configuration?
When TLS is selected as the syslog protocol, the firewall validates the syslog server’s certificate during the TLS handshake. If the server uses a self-signed certificate or one issued by a Certificate Authority (CA) not in the firewall’s trust store, the connection will fail certificate validation. Enabling ‘Ignore TLS Certificate Error’ allows the firewall to establish the TLS connection even when the server’s certificate cannot be fully validated, this is useful in lab or internal environments where a full Public Key Infrastructure (PKI) is not deployed. For production deployments, this option should remain disabled, and the syslog server should present a certificate from a trusted CA, ensuring the firewall is encrypting logs to an authenticated destination.
What happens if the syslog server becomes unreachable, does the firewall keep logging?
SonicOS 8 operates in fail-secure mode for encrypted syslog. Fail-open mode is not supported. If the TLS connection to the syslog server cannot be established or the server becomes unreachable, the firewall stops log transmission rather than falling back to plaintext delivery. While the connection is unavailable, SonicOS 8 buffers up to 256 log entries per data plane (DP). Once connectivity is restored, buffered logs are delivered. This design ensures log confidentiality is never compromised at the cost of transmission continuity.
Does encrypted syslog work with our existing SIEM, Splunk, QRadar, Microsoft Sentinel?
Yes, with an important clarification: SonicOS 8 encrypted syslog supports the standard syslog protocol only (RFC 5425, TLS over TCP). There is no proprietary SIEM connector or vendor-specific integration. Major SIEM platforms are compatible because they all support receiving standard syslog over TLS. Splunk, IBM QRadar, and Microsoft Sentinel can each ingest RFC 5425 syslog through their standard syslog input mechanisms. SonicOS 8 provides four syslog format options to aid SIEM parsing: Default (SonicWall native format), WebTrends, Enhanced Syslog, and ArcSight (Common Event Format). The format selected should match the parser configured on the receiving SIEM.
Does the syslog server need a certificate installed for TLS to work and when do I need to import anything into SonicWall?
The TLS certificate must be installed and configured on the syslog server and not on the SonicWall firewall. However, the firewall does validate the server certificate as part of the TLS handshake, so the following applies: If the syslog server uses a certificate signed by a well-known public CA, and that CA is included in SonicWall's built-in trusted CA list, the TLS connection is established automatically with no additional configuration required on the firewall. If the syslog server uses a self-signed certificate, the firewall will not trust it by default. In this case, the self-signed certificate must be imported into the SonicWall certificate store so the firewall can trust it.
For detailed import steps, refer to: https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7-0-0-0-device_settings/Content/Topics/Certificates/certificates-local-importing.htm (applicable to SonicOS 8.2 as well).
Alternatively, if importing is not practical, the "Ignore TLS Certificate Error" option in the syslog server configuration can be enabled to bypass certificate validation. Note that this removes the certificate trust check and should only be used in controlled environments.
Where to find the feature or admin for the Encrypted Syslog Feature?
