Threat Level: green Handler on Duty: Tom Webb

SANS ISC: SonicWALL Setup - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SonicWALL Setup
It's been a few years since we have submitted log files, but we've just rolled out a SonicWALL TZ series and we're looking into getting things set back up again. Unfortunately, the help files are a bit out of date for direct submission via the firewall and the 3rd party tool links (DIDSyslog) are dead.

We previously used a syslog server (Kiwi) when submitting logs from the Cisco PIX so that's not an issue, if needed, but I do recall the 3rd party PIX tool from DShield parsed the log to remove extraneous content. With that in mind, my question is whether or not anyone has an active link to the listed 3rd party SonicWALL tool (DIDSyslog), assuming it works for current models, or suggestions on how to accomplish the same without one?

Any help would be appreciated. Google was not much help on this one.

Thanks in advance,
David
HateTheSnow

2 Posts
Syslog is one option, and easiest if you can send the logs to a Linux syslog server. I should easily be able to write a parser that will filter out extra lines once it is in syslog.

If I remember right, SonicWall also had the option to send logs as e-mail. Does this option still exist? I could resurrect support for that and include the newer versions. Can you set a "Subject" or just the "To" / "From" address? I think that was an issue in the past.
Johannes

2864 Posts
ISC Handler
The LAN side of the firewall is pretty basic now that all serving has been moved to the cloud (20 or so devices behind a dynamic IP), but it wouldn't be out of the question to set up an unused box as the syslog server and let it run 24/7. Ideally, I was hoping to find a way to use the firewall to hold the logs and then automate a batch process for submission. As I started working with it, syslog seemed to be only viable option.

You are correct about not being able to set the subject on e-mailed logs through the SonicWALL. The options are very limited and only allow setting the send to address, send schedule, log format (text/HTML e-mail, or CSV attachment), and a checkbox to include/exclude all log information. Oddly, there is a "Health Check E-mail Notification" option on the Log/Automation page that does allow you to set the subject line.

As a thought, do you think there is any possibility to e-mailing the log as a CSV file and dumping it to a selected folder on one of the workstations for parsing and submission? If the CSV can be parsed, that may be the easiest method.
HateTheSnow

2 Posts
e-mail would be another option. Parsing the CSV file should be simple. As far as sending it to us directly, maybe it does add some mail header identifying itself. take a closer look at what the emails look like, or let me know if you need help with a quick parser for the CSV files. (if you can capture them on a linux system). Johannes

2864 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!