Configuring Syslog Server with custom event profile on SonicWall

This article explains how to configure a syslog server on a SonicWall firewall using a custom event profile to send specific event logs to a different syslog server. Note: This setup is distinct from configuring an AppFlow server.

Pre-requisite:

•  Must have GMS server or On-Prem Analytics server installed and configured.
• Have an Address Object created on the Firewall for the SonicWall Analytics system.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

1. Navigate to Device|Log|Syslog
2. Select Syslog Servers and Click on Add
   
   
3. Select the Name or IP address of the Syslog server from the dropdown.
   
   
   
4.  Select Event Profile as 1
5. Select Syslog Format as 'Enhanced'.
6. Syslog Facility as Local Use 1
7. Click ‘OK’.

Now, apply the customer event profile to the event logs

1.  Navigate to Device|Log|Settings
   
   
   
   
2. Edit the log Category you want to use for syslog for a different event profile.
   
   
3. For example, I edited the category Firewall.
4. Set Use This Syslog Server Profile as 1
5. Click on Save

For testing, set up packet capture based on syslog port UDP 514 and generate traffic based on the event type.

1. Navigate to Monitor|Tools &  Monitor|Packet Monitor
2. Navigate to Advanced monitor filter tab and enable all the check boxes
3. Click on Save and start the packet capture
   
   

Test Results snap:

• Here, Source 192.168.x.x is the firewall generating the syslog traffic and forwarding it to the syslog server 192.168.x.x on UDP port 514.