Ingest Sonicwall Firewall Logs
Prerequisites
Logpoint: v6.7.4 or later
SonicWall Access: Syslog forwarding configured on SonicWall devices to send logs to Logpoint
Install SonicWall Firewall
Download the .pak file from the Help Center.
Install the Package
Go to Settings >> System Settings from the navigation bar.
Click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.
Verify Installation After installation, verify the integration appears under Settings >> System Settings >> Plugins.
Configure SonicWall Firewall
You can configure SonicWall Firewall using the Devices method.
Configuring a Repo for SonicWall Firewall
Go to Settings >> Configuration from the navigation bar and click Repos.
Click Add.
Enter a Repo Name.
Select a Repo Path to store incoming logs.
Set a Retention Day to keep logs in a repository before they are automatically deleted.
Note: You can add and remove multiple Repo Path and Retention Day.
Select a Remote Logpoint and set a Available for (day).
Click Submit.
Adding a Normalization Policy for SonicWall Firewall
Normalization policies normalize and standardize logs for efficient storage, analysis, and retrieval.
Go to Settings >> Configuration from the navigation bar and click Normalization Policies.
Click Add.
Enter a Policy Name.
Select the Compiled Normalizer for SonicWall Firewall:
SonicFirewallCompiledNormalizer (for standard SonicWall logs)
SonicWallAventailCompiledNormalizer (for SonicWall Aventail logs)
Select the required Normalization Packages:
LP_SonicWall SMA
LP_SonicWall SMA Process
Click Submit.
Configuring a Processing Policy for SonicWall Firewall
Processing policy dictates how SonicWall Firewall logs are handled, processed, and stored to enhance their usability and accessibility for monitoring, reporting, and alerting purposes.
Go to Settings >> Configuration from the navigation bar and click Processing Policies.
Click Add.
Enter a Policy Name.
Select the previously created normalization policy.
Select the Enrichment Policy.
Select the Routing Policy.
Click Submit.
Adding SonicWall Firewall as a Device in Logpoint
Go to Settings >> Configuration from the navigation bar and click Devices.
Click Add.
Enter a device Name.
Enter the SonicWall Firewall server IP address(es).
Select the Device Groups.
Select an appropriate Log Collection Policy for the logs.
Select a collector or a forwarder from the Distributed Collector drop-down.
Note: It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.
Select a Time Zone. The timezone of the device must be same as its log source.
Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.
Click Submit.
Configuring the Syslog Collector for SonicWall Firewall
Go to Settings >> Configuration from the navigation bar and click Devices.
Click the Add collectors/fetchers icon under Actions of the previously added device.
Click Syslog Collector.
Note: You can select a different collector depending on your requirements and added device. To learn more about available collectors, refer to the collectors documentation. If you require assistance, contact our support team.
Select Syslog Parser as Parser.
Select the previously created Processing Policy which contains the normalization policy.
Select the Charset.
In Proxy Server, select None (or configure proxy settings if needed).
Click Submit.
Verify Ingestion
Check Log Ingestion
Use the following query to verify SonicWall Firewall logs are being ingested:
Or search by normalizer:
Verify Data Flow
Check Syslog Collector Status: Ensure the SonicWall collector is running without errors.
Monitor Log Volume: Verify expected log volumes are being processed.
Validate Normalization: Confirm logs are correctly parsed and normalized using the SonicFirewallCompiledNormalizer or SonicWallAventailCompiledNormalizer.
Test Dashboards: Access SonicWall Firewall dashboards to verify data visualization.
Last updated
Was this helpful?