SMA1000: Management Audit Logs Not Visible on Remote Syslog Server

The SonicWall SMA 1000 series supports forwarding log data to a remote syslog server for centralized monitoring. However, not all log categories are forwarded via syslog. Management audit logs — which record administrative actions taken within the AMC — are not included in the syslog feed. This is by design. This article explains which log types are forwarded, which are not, and how to access the full audit trail.

Syslog Log Forwarding Summary

View Audit Management Audit Logs

To view the full management audit log, use one of the following methods:

Method 1: AMC Dashboard

1. Log in to the SMA1000 AMC.
2. Navigate to Dashboard > Logs (or System Configuration > Maintenance > Logs, depending on firmware version).
3. Filter by log type to view management audit entries. These logs include all configuration changes, user account modifications, and administrative login/logout events.

Method 2: SSH / CLI

1. Connect to the SMA1000 appliance via SSH.
2. Review the audit log file at /var/log/aventail/policy_audit.log (path may vary by firmware version).
3. Use standard Linux tools (grep, tail, less) to search and filter log entries.

Important: The management audit log path on the filesystem may differ between firmware versions. If the path above does not exist, check /var/log/audit/ or consult the SMA1000 administration guide for your firmware version. The AMC dashboard method is the most reliable way to access these logs regardless of firmware version.