Dell’s Sonicwall firewalls protect many businesses ranging from small offices to large enterprises. Depending on the network traffic these appliances can generate an extreme amount of log messages about the hosts you connected to or the hosts trying to attack your network. Log messages are essential for multiple reasons: compliance, security, planning or billing, just to name a few. Sonicwall firewall appliances can store these logs only for a very limited time. There is no graphical user interface for browsing these logs. Also, finding information in flat files can prove very difficult and time-consuming.
Why syslog-ng Store Box?
Fortunately, events collected by the firewall can be forwarded to 3rd party logging solutions using standard syslog protocol over the network. Balabit’s syslog-ng Store Box (SSB) is a high-performance log management appliance. Depending on the appliance size it can collect over a hundred thousand syslog messages per second. If you have multiple firewalls, you can use SSB for centralized log collection. It does not only collect messages, but indexes them and provides a powerful web-based search interface for your logs.
Even without further processing the messages, the syslog-ng Store Box appliance can facilitate your everyday work with your Sonicwall firewall. Depending on your log retention configuration, you can search weeks or even years worth of log data. As Sonicwall uses syslog priority to mark interesting messages, for example port scans, it is easy to narrow down searches and separate suspicious events from the rest. Besides search, you can also get an overview of your system and create statistics, as demonstrated in the screenshot below. The statistics can also be included in automatic reports.
Syslog message parsing
The use of PatternDB message parsing can further enhance your search results. With basic full-text indexing can find an IP address in your logs, however, without parsing, it is impossible to determine whether this is source or a destination IP of a network connection, or even the address of the firewall. In this case, if you have a client machine browsing the web, there might be thousands of log messages about outgoing connections, but it can be really difficult to find an incoming connection. However, once a message is parsed, you can search for an IP address in a certain field instead of the whole message, making the process straightforward.
Summary
Collecting Sonicwall firewall log messages using syslog-ng Store Box enables more efficient operation of your security infrastructure. Using message parsing can enhance your search results. Of course, it is not only the Sonicwall firewall that can make good use of an external log management solution. Several firewalls and network appliances cannot store their logs at all. SSB can help you collect your log messages to a central location.