You will need to perform some configurations on Sonicwall so that you can see the logs from your Sonicwall device over the Logsign Unified SecOps Platform.
First of all, the IP address is written in your WEB browser to access your Sonicwall device. Then, after entering your user information, see the main topics in the menu bar on the left side of the page, where you can perform various configurations. After clicking the Log button, click on the Syslog tab.
In the Syslog Servers section, you'll add the Syslog Server to which you'll direct the logs by clicking the Add button under Server Name.
Name or IP Address: Write the IP address of your Logsign Unified SecOps Platform.
Port: Port number to which logs will be sent. Write 514.
Please note that: If the IP address you want to add is not listed, click on the Create new address object tab and select from the list after you have defined the IP address of the Logsign Unified SecOps Platform as the address object.
After performing the above settings, you'll save the Logsign Unified SecOps Platform on the SonicWALL with the Add button.
Your following process will be the type of logs you want to get to the Logsign Unified SecOps Platform. To do this, click on the Log -> Settings tab in the menu bar on the left side of the interface page of your Sonicwall.
When you select the priority level of the event logs, you want to come upon the page; in other words, which log is sent with which flag, set the Event Priority to Mixed by clicking the icon at the end of each line. The critical part for us is the Syslog area which we see when we expand the Log tab. Likewise, after selecting the Priority part of the Syslog line as Mixed, check the boxes below the Syslog header and set the log flags associated with Syslog as Inform and Critical.
Then confirm the changes that you made by clicking the Accept button.
After these processes, you'll add the source to view logs from the Sonicwall device from the Logsign Unified SecOps Platform
Open the Logsign Unified SecOps Platform web interface and click on the "+ Device" button under the Sources tab, which is then clicked on the Settings -> Data Collection tab in the menu bar on the top of the page. In the Source Type Selection page, choose Syslog as the method. After that, Sonicwall is selected as Vendor information, and then Firewall is specified in the Product Selection section. There is some information about the source that you want to add on the page:
Host: IP address information of the Sonicwall product that you want to retrieve the logs.
Encoding: utf_8, which is accepted as the general standard in Information Technologies, is set as default. Agree in the same way.
Offset: To explain it in terms of definition, let's say "time difference." If the "system" time you want to log in is forward or backward from the real-time difference, you can edit it accordingly. The symbol "+" moves forward, and "-" moves backward. Time information is specified in minutes.
Data Policy: As a definition, you can filter in or out of incoming data. In the Data Policy section, you can specify the kind of logs (word, event movement type, etc.) that you want to receive or not from the source. The default setting here is the Default Policy, which has the default rule is "collect all logs."
Max Line Length to Process: Each log is generated as a single line. So, the Logsign Unified SecOps Platform takes these logs and analyzes them. In some cases, the number of characters in a single line of a single log file can be more significant than two thousand forty-eight (2048). In such cases, you can change this part.
Check Health: If you tick this box, that will inform you about the service and operability of the Logsign Unified SecOps Platform. The Health Check Period tab will come up when the box is ticked. This part is the time interval information to be checked.
Device Name: You must enter a descriptive name according to the configuration you are making (For ex., SonicFW). It can provide convenience for people who analyze logs. You can think of the Description field as a resource-specific area.
Tag: Slightly different from the Description section, it can be used for a broader purpose. For example, you can query by tag; and make tag-based definitions while creating a report if you use multiple FWs and define each tag as sonic1 or sonic2. If you want to query about an event, you will get a shorter result when you search according to sonic1 name.
After filling the Tag section, click on the Save button to add the Sonicwall device to which you've configured the source.