Configure SonicWall Collection

Collecting SonicWalllogs enables Alert Logic to run our common firewall analytics on data from your SonicWall devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your SonicWall devices will result in the creation of incidents that can be managed in the Alert Logic console.

You must complete the following to send data from your SonicWall device(s) to Alert Logic:

1. Download and install the remote collector
2. Configure SonicWall device
3. Verify log collection

Download and install the remote collector

To send data from your SonicWall device(s) to Alert Logic, you must first download and install the remote collector in the same network as the SonicWall device(s).

To download and install the remote collector:

1. Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
2. Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the SonicWall device(s).
   • Install the Remote Collector for Linux
   • Install the Remote Collector for Windows
     
3. While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the SonicWall device.

Configure SonicWall device

Once the remote collector is installed, the SonicWall device needs to be configured to send data to the collector. Complete one of the following procedures based on the version of your SonicWall device.

Configure version 7.X devices

To configure the SonicWall device:

1. Log into the SonicWall web interface, and navigate to Device > Log > Syslog.
2. In the Syslog Servers pane, click Add.
3. In the Name or IP Address field, enter the IP address of the Alert Logic remote collector.
4. In the Port field, set the value to 1515 (or the port you have set on the Logs page).
5. Click OK.
6. From the Syslog Format list, select Default.
7. Click Apply.
8. At the top of the page, click into Device.
9. On the left-hand bar, click Log and then Settings.
10. In the Logging Level drop-down menu, select Debug.
11. In the Alert Level drop-down menu, select Warning.
12. Click Accept.

Verify log collection

Once you have installed the remote collector and configured the SonicWall device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.

1. Log in to the Alert Logic console and use one of the following links to access the Search console with criteria already entered:
   • Raw messages
   • Grouped by Message Type
2. Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
3. Click Search.
4. Verify logs display for the remote collector.