SonicWall Network (syslog)

Set up the SonicWall connector for syslog forwarding.

Overview

In this guide, you will set up the SonicWall connector within Radiant Security. This guide also provide steps for syslog configuration on the firewall itself. This is required in order to forward SonicWall logs to Radiant Security.

To complete this configuration, you’ll need to complete the following steps:

Add the data connector in Radiant Security
Configure a local Radiant Security Syslog Collector
Configure the SonicWall Firewall

ℹ️ Note: SonicWall does not have the capability of sending logs using TCP and Secure Syslog without the use of an intermediary syslog relay server.

Prerequisites

SonicWall: Full Admin User in Config Mode

Add the data connector in Radiant Security

1. Log in to Radiant Security.
2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.
3. Search for and select SonicWall Firewall option and then click Data Feeds.
4. Select the Sonicwall Firewall Syslog data feed and then click Credentials.
5. Under Credential Name, give the credential an identifiable name (`e.g. Sonicwall Credentials`). If you already have a credential in place, select it from the drop-down menu.
6. In the Connector tag field, enter a random value. This value will act as the salt to randomize the unique Token you’ll download in the next step.
7. Click Add Connector.
8. Copy and save the Token value using the clipboard option or download the Token file. Download the SSL certificate, as you will need it when configuring the syslog source (Sonicwall Firewall) in the next section.
9. Click Done to save your changes.

Configure a local Radiant Security Syslog Collector

Refer to the Deploy a Radiant Security Syslog Collector guide to set up a local Radiant Syslog Collector.

Configure the SonicWall Firewall

Login to your SonicWall Firewall.
On the top navigation bar, click Device.
On the left navigation list, click Log > Settings.
Set the Logging Level as Informative, and the Alert Level as Alert. Click Accept to save the changes.
On the Category column, expand the Network category and then expand TCP.
Enable the Syslog toggle for the following entries, while leaving the rest as default:
1. TCP LAN DENY
2. TCP Connection Reject
3. TCP Connection Abort
On the TCP Connection Reject and TCP Connection Abort entries, click the debug text under the Priority column, and change it to inform.
Still under Network, expand the UDP category to make sure the three entries have the Syslog toggle enabled. If not, enable all three of them.
Click Accept to save the changes.
On the left navigation list, click Log > Syslog.
Click Enhanced Syslog Fields Settings and verify that each field is toggled on. Click Save.
Click Syslog Servers, and then click Add. Fill in the page with the following details:
1. Event Profile: 0
2. Name or IP Address: Enter the name or IP address of your syslog server.
Click Create an Address Object and add the following settings:
1. Name: Radiant Security Syslog Connector
2. Zone Assignment: LAN
3. Type: Host
4. IP Address: Enter the IP address of the Radiant Security Syslog connector deployed previously.
Click Save and then click Go Back.
Continue adding the remaining settings:
1. Port: 514
2. Server Type: Syslog Server
3. Syslog Format: Enhanced Syslog
4. Syslog Facility: Local use 0
5. Syslog ID: Token provided by Radiant Security in step 5 of the Add the data connector in Radiant Security section
6. Enable Event Rate Limiting: Disabled
7. Enable Data Rate Limiting: Disabled
Click Add to save your changes.

We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai

Last updated: 2024-08-23