WAZUH SONICWALL
11 views
Skip to first unread message
Brenno Garcia
Dec 5, 2025, 11:07:17 AM (2 days ago) Dec 5
to Wazuh | Mailing List
Hello
I'm trying to configure syslog between SonicWall and Wazuh.
The firewall and permission issues seem okay; the logs are sent to the Wazuh machine and, via rsyslogd, they are forwarded into the Wazuh container.
The problem is that very few logs are arriving from the SonicWall. Does anyone know how to proceed?
I followed several approaches from various documentation, but very few show the syslog configuration on the SonicWall side.
I checked, and all log categories in SonicWall 7 have the syslog option enabled.
I even tried in the syslog configuration in the "edit all categories" section where it allows choosing an event profile (some profile that was created in the syslog server), but it still doesn't send all the logs.
The only category that is sending logs is gcat=6 network according to the documentation.
And it sends only 1 per minute.
I'm trying to configure syslog between SonicWall and Wazuh.
The firewall and permission issues seem okay; the logs are sent to the Wazuh machine and, via rsyslogd, they are forwarded into the Wazuh container.
The problem is that very few logs are arriving from the SonicWall. Does anyone know how to proceed?
I followed several approaches from various documentation, but very few show the syslog configuration on the SonicWall side.
I checked, and all log categories in SonicWall 7 have the syslog option enabled.
I even tried in the syslog configuration in the "edit all categories" section where it allows choosing an event profile (some profile that was created in the syslog server), but it still doesn't send all the logs.
The only category that is sending logs is gcat=6 network according to the documentation.
And it sends only 1 per minute.
Olamilekan Abdullateef Ajani
Dec 5, 2025, 12:27:52 PM (2 days ago) Dec 5
to Wazuh | Mailing List
Hello,
Please let me know what you find.
Based on what you have said so far, Wazuh is able to accept logs from the rsyslog server, so that means Wazuh checks out, because Wazuh does not query Sonicwall or the rsyslog, it is whatever is sent, and you will see it on Wazuh.
A few questions, though:
- Did you follow all the steps from SonicWall as also described in this documentation here: https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-syslog-server-on-a-sonicwall-firewall/kA1VN0000000TWl0AM
- Did you examine the rsyslog server where the logs are saved before they are shipped to Wazuh to see if there are some logs present there?
- If there are, this could maybe mean the logs you need are not matching any decoder, as such, no rules are being fired. You may need to enable the Wazuh archive and check if there are any other logs present.
- Lastly, what type of logs do you see? Can you share a sample, and what type is missing? (there are traffic logs, security profiles logs, web control logs, local logs, authentication logs, etc.) It is best to know what is being defined at each security facility and understand what is expected before troubleshooting what is missing.
- Another thing, have you checked the data with the SonicWall support group or forum to check if this is an expected behavior?
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
</global>
</ossec_config>
Then restart the Wazuh-manager. systemctl restart wazuh-manager
cat /var/ossec/logs/archives/archives.json | grep "part of your log"
Please let me know what you find.
Reply all
Reply to author
Forward
0 new messages