Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Configure 2 syslog servers

gussr16gussr16 Newbie ✭
in Firewall Management and Analytics

I'm trying to configure a second extra syslog server, we already had one configured and running correctly.


When I configure the new syslog, I don't see packet traffic in packet monitor, what are the steps to have 2 syslog?


New syslog port 513


image.png


Category: Firewall Management and Analytics
Reply

Answers

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @gussr16

    The second server syslog server port should be 514.

    image.png


  • BWCBWC Cybersecurity Overlord ✭✭✭

    @gussr16 I checked on my NSa running 6.5.4.10 and added a second syslog server and both servers got the syslog packets.

    If you can't see the traffic in the Packet-Monitor, you did not have the "Exclude Syslog Traffic to:" checked by accident? IMHO it's the default.

    Did you checked with tcpdump on your Wazuh if any syslog packets arrive from your SNWL?

    @Ajishlal Port 513 is probably correct, if configured that way, like mentioned in the Wazuh docs.

    --Michael@BWC

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @BWC

    I heard that sonicwall only accept 514 UDP port for the syslog service.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Ajishlal this must be in another context, using Port 513 for Syslog on the NSa works fine.

    --Michael@BWC

  • gussr16gussr16 Newbie ✭

    Hello, configure again on port 514


    But I don't see any packet traffic either.


    image.png


  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited July 2022

    @gussr16 I checked and can see the Syslog packets. Do you have by any chance set a Display Filter or did not clicked all Checks on the Display Filter page?

    I guess you're on 6.5.4.10 as well?

    --Michael@BWC

  • gussr16gussr16 Newbie ✭

    @BWC

    Yes , If it's correct I'm on SonicOS Enhanced 6.5.4.10-95n


    I have configured to see all the filters, it strikes me that it does not show any traffic.


    image.png
    image.png


  • BWCBWC Cybersecurity Overlord ✭✭✭

    @gussr16 then I need to throw the Towel, I tried different IP addresses to send the syslog data to, to make sure it's not Zone or Interface related, but I always saw the packets in the Monitor.

    If you made sure that on the "Settings" Tab of the Packet Monitor Syslog is not excluded I cannot think of anything else at the moment.

    --Michael@BWC

  • gussr16gussr16 Newbie ✭

     @BWC


    I did the test with many IPs and the same if I have traffic, but not with a specific IP, I tried to create a new object, but I have no result. Something to have in mind?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @gussr16 the one and only thing, as mentioned before, is this one, but I guess you checked this already.

    Packet.jpg

    Maybe you need to open a Ticket for that.

    --Michael@BWC

Sign In or Register to comment.