Wazuh + Sonicwall
Brenno Garcia
I need help configuring Wazuh to handle logs and alerts from SonicWall.
I've already configured the syslog server on the SonicWall to forward logs to Wazuh.
Wazuh is receiving these logs, and that part is correct.
The problem is that SonicWall is only sending network logs (gcat=6, according to the documentation), and I can't configure it to send other types of logs.
I've searched some documentation, but none mention this part.
I edited all the logs on SonicWall to be sent to event profile 1 (Wazuh server configuration in Syslog), but it still didn't work.
Javier Adán Méndez Méndez
Hi Brenno Garcia
Wazuh is already receiving SonicWall logs, so the syslog collector is working correctly on our side.
If only gcat=6 events are arriving, that means SonicWall is only forwarding that category. Wazuh does not filter SonicWall log types, and it cannot request additional categories.
Still, here are a few quick checks you can do to confirm everything is fine on the Wazuh side:
-
Verify syslog collection is enabled
-
If you're using direct syslog input
-
Confirm logs are arriving
-
Check Wazuh manager logs
If Wazuh is already receiving events, then the remaining categories need to be enabled on the SonicWall side. Wazuh will ingest anything the device sends.
Feel free to share a few sample logs if you want us to confirm the format.
Regards,
Javier Mendez
Wazuh Teams
Brenno Garcia
All the guides I've found never show the part where we configure which logs will be sent.
Javier Adán Méndez Méndez
https://medium.com/@enes.ismaili/sonicwall-wazuh-integration-c96a0b3f6c30
https://community.sonicwall.com/s/question/0D5VN00000Yd8Vn0AJ/syslog-configuratoin-with-wazuh
https://github.com/wazuh/wazuh/issues/28295