Syslog traffic being blocked
tejasree
Newbie ✭
Hello,
We are trying to integrate sonicwall FW with one of the security tool. we have setup a windows server in LAN and deployed the sec tool collector on server.Still didn't get any logs to the console.despite creating the inbound/outbound rules on server.
from firewall I have created the access rule policy LAN-LAN specifying the dest as Server IP & Service - UDP.
Additionally,I did try to packet capture on FW Specifying moniter filters as dest - server IP and port - 514.
I have seen packets being dropped from X0*/V100 interface with drop code - 17.
when I alone mention port no - i didn't see any packets being captured.
Is there anyway to troubleshoot this?or see where /what rules are blocking the traffic?Any ways on windows on how to check for those syslogs?
Answers
I don't think access rules on firewall itself will make any difference to firewall sending syslogs out of its own LAN interface. So don't worry about that.
You could try a packet capture with Wireshark on your target server.
Have you followed this? https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-syslog-server-on-a-sonicwall-firewall/170505984096810
Yes,I did follow the same steps. Except we have 3rd party syslog server. not gms or other.
Like Arkwright said, run a packet capture on your Windows server. Don't forget to adjust the built-in Windows Firewall.
On a side note a Sonicwall will not capture its own syslog traffic unless you tell it to in the packet capture settings.
It has been solved after I have changed the Event profile set to 0. which is defaulted to 1.I still didn't get why it didn't generate syslogs at Event profile 1? It's not GMS.
When you add a Syslog server, the default Event Profile is 0. If you set this to 1, and if you don't have any category/sub-category or event, that is configured for event profile 1, then the firewall will not trigger/create any syslog message. This is configured on the "Use This Syslog Server Profile" field, and by default it is zero.