Transmit VPN Logs via syslog only
Currently we send syslog from our Sonicwall NSA to our Kiwi syslog server and the log file is around 2GB each day in text. Is there a way that can can configure Sonicwall to send VPN login information via syslog only so we can monitor our users who use VPN to work from home?
Also, is 2GB of syslog file each day normal? We got a lot of port scanning from a lot of unknow IP addressesefrom the dashboard of Kiwi Syslog Service Manager (The dashboard is moving like crazy :))
MustafaA SonicWall Employee
@phongnd02, the firewall Log Settings is composed of Categories, Groups and Events. Each Event has a Priority and can be enabled/disabled for each Event recipient, namely GUI, Alert, Syslog, Trap, IPFIX, Email. In your case what you need to enable or disable is for the Syslog column. If it is enabled and if an Event is triggered (also depending on the Priority), then the firewall will send the Event content, which is a readable text message, to the Syslog Server.
The amount of data per day sent to the Syslog Server depends on which Events are enabled/selected (for Syslog) and how many of those are triggered by the firewall, and the Priority of the Events, as well as the Logging Level of the firewall.
If you want to keep track of VPN user login only then you may want to check Users - Authentication Access - User VPN Login and disable pretty much the rest of the Events for Syslog. You can find more information about the Log Events in the Log Events Reference Guide document. The Log Events are same on Gen6 and Gen7 firewalls, and I hope this gives some insight.
Thanks MUSTAFAA! This is a big help!
Glad I was able to help @phongnd02