How To Configure SonicWall Logging and Reporting 2018-02-27T01:47:44+00:00
Reporting on SonicWall Log Files with WebSpy Vantage

How to Configure SonicWall Logging and Reporting 

Before You Begin – See Fastvue Reporter for SonicWall

We have another product dedicated to making reporting on SonicWall simple and easy. Fastvue Reporter for SonicWall includes live dashboards, alerts, and historical reporting, all preconfigured to show everything you need to know about employee Internet usage, bandwidth and how your network is operating.

Fastvue Reporter for SonicWall

Why WebSpy Vantage?

If you need full flexibility over the content of your reports, WebSpy Vantage provides a comprehensive report templating and data aliasing engine that is not available in Fastvue Reporter for SonicWall. If that is something you need, then please see the guide below on configuring SonicWall logging and reporting with WebSpy Vantage.

Fastvue Syslog Logo
Fastvue Syslog Server

1. Install a Syslog Server

There are a range of syslog servers available for all operating systems, and Linux systems have an inbuilt system called Syslog-ng that you can use. For Windows Systems, you need to install a third party product to collect and log the syslog messages. We have a free tool for Windows for this called Fastvue Syslog. It simply listens on the port you specify (514 by default) and writes syslog messages out to text files which can then be imported into WebSpy Vantage. Fastvue Syslog will also compress and archive logs after 30 days (configurable), and can forward syslog data to another server. To get started with Fastvue Syslog:

  1. Download the Free Fastvue Syslog Server
  2. Install Fastvue Syslog on a Windows Server and launch the Web UI in a modern browser (Chrome is recommended)
  3. The initial configuration page lets you set where you would like logs and archives to be stored, listening ports (514 by default) and web UI login details. Ensure ‘Auto-Discover Syslog Sources’ is checked.
  4. Once configured, you should see your SonicWall device appear as a source on the left hand side (Note: If your SonicWall devices does not automatically appear, try using Google Chrome as IE has known issues, especially when running on a server with IESC enabled).
  5. Click the Cog icon in the top right corner to see the path where your logs are being created. By default this is C:\ProgramData\Fastvue\Syslog Server\Logs\. A folder is created for each device sending syslog messages. Navigate to this folder in Windows Explorer to see the log files being created.

Once your syslog server is successfully creating text log files, you can import this into WebSpy Vantage.

Install Fastvue Syslog
SonicWall 6.5 Syslog Settings
Capturing SonicWall Syslog Data with Fastvue Syslog

SonicWall Syslog Text Files created in Fastvue Syslog

2. Configure SonicWall to send Syslog messages

Once you have Syslog Server running, you need to configure SonicWall to send syslog messages to it. There are a range of log events you can send, but usually, you want to send at least the ‘Syslog Website Accessed’ and ‘Website Blocked’ events as they’re the events that relate to the web traffic flowing through SonicWall’s Content Filtering feature. You can also send the ‘Connection Closed’ events to capture general network activity.

The Syslog options vary depending on your SonicOS version:

  1. Go to Manage | Log Settings | Syslog and set the Syslog Format to Enhanced Syslog
  2. Click the Enhanced Syslog Fields Settings: button and check all the available fields.
  3. Under the Syslog Servers section, add your Fastvue server as a syslog server.[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWall6.5_SyslogSettings.png” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall SonicOS 6.5 Syslog Settings[/imageframe]
  4. Go to Manage | Log Settings | Base Setup and expand the Log | Syslog section. Check the Syslog column for the Syslog Website Accessed events. Set the priority to Informational.
  5. Still in Manage | Log Settings | Base Setup, expand Security Services | Content Filter and check the Syslog column for Website Accessed & Website Blocked events, again making sure the priority is Informational[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWall6.5_SyslogSettings_BaseSetup.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall 6.5 Syslog Settings Base Setup[/imageframe]
  6. Still in Log | Settings, expand Network | Network Access and check the Syslog option for Connection Closed, Web Request Receiver and Web Request Drop events, again making sure the priority is Informational[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWall6.5_Network_Access_Syslog_Events.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall 6.5 Network Access Syslog Events[/imageframe]
  7. Ensure you have SonicWall’s Content Filtering Services (CFS) enabled and active in Security Services | Content Filter.[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWall_SonicOS6.5_Enable_ContentFilteringServices_CFS.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall SonicOS 6.5 Enable Content Filtering Services CFS[/imageframe]

We also recommend deploying SonicWall’s DPI-SSL feature for reporting an alerting on HTTPS traffic such as Google Searches and YouTube videos.

  1. If you are running 6.2.6.0-20n, request hotfix 6.2.6.0-20n–HF176616-1n from SonicWall support to fix a critical logging bug. This fix will be included in 6.2.6.1 generally.
  2. Go to Log | Syslog and set the Syslog Format to Enhanced Syslog
  3. Under the Syslog Servers section, add your Fastvue server as a syslog server.[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWALL_Syslog_Configuration_6.2.6.0.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall Syslog Configuration for SonicOS 6.2.6.0[/imageframe]
  4. Go to Log | Settings and expand the Log | Syslog section. Check the Syslog option for the Syslog Website Accessed events. Set the priority to Informational.
  5. Still in Log | Settings, expand Security Services | Content Filter and check the Syslog option for Website Accessed & Website Blocked events, again making sure the priority is Informational[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWALL_Log_Settings_6.2.6.0-1024×840.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall Log Settings SonicOS 6.2.6.0[/imageframe]
  6. Still in Log | Settings, expand Network | Network Access and check the Syslog option for Connection Closed, Web Request Receiver and Web Request Drop events, again making sure the priority is Informational[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWALL_Log_Settings_Network_Access_6.2.6.0-1024×835.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall Log Settings Network Access SonicOS 6.2.6.0[/imageframe]
  7. Ensure you have SonicWall’s Content Filtering Services (CFS) enabled and active in Security Services | Content Filter.[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWALL_Enable_CFS_6.2.6.0.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall Enable CFS SonicOS 6.2.6.0[/imageframe]

  1. Go to Log | Syslog and check the Override Syslog Settings with Reporting Software Settings checkbox and click Accept. This option fixes an issue where URL Categories are not logged for Allowed traffic. Read more.
  2. Under the Syslog Servers section, add your Fastvue server as a syslog server.[imageframe lightbox=”yes” lightbox_image=”https://www.fastvue.co/wp-content/uploads/2016/04/SonicWALL_Syslog_Configuration_5.9.jpg” style_type=”dropshadow” bordercolor=”” bordersize=”0px” borderradius=”0″ stylecolor=”” align=”center” link=”” linktarget=”_self” animation_type=”0″ animation_direction=”down” animation_speed=”0.1″ class=”” id=””]SonicWall Syslog Configuration For SonicOS 5.9[/imageframe]
  3. Go to Log | Settings and expand the Log | Syslog section. Check the Syslog option for the Syslog Website Accessed events. Set the priority to Informational.
  4. Expand Network | Network | Network Access and check the Syslog option for Website Blocked & Website Accessed events, again making sure the priority is Informational
  5. Ensure you have SonicWall’s Content Filtering Services (CFS) enabled and active in Security Services | Content Filter, either via App Rules or Zones and Interfaces, and that you have an App Rule or Zone configured to use CFS.

  1. Go to Log | Syslog and ensure the Syslog Format is set to Default
  2. Under the Syslog Servers section, add your Fastvue server as a syslog server.
  3. Go to Log | Categories and ensure the logging level is set to Informational
  4. In the Categories section, check the Syslog checkbox for the Network Traffic events.
  5. Ensure you have SonicWall’s Content Filtering Services (CFS) enabled and active in Security Services | Content Filter, and that CFS is applied to one of your zones in Network | Zones

The Best SonicWall Configuration for Detailed Logging and Reporting

The information available in your reports depends on the configuration of your SonicWall and the features you have enabled. For more information, see our article on The Best SonicWall Configuration for Detailed Logging and Reporting.

Importing SonicWall Syslog Files into WebSpy Vantage

Importing SonicWall Syslog text files into WebSpy Vantage

Importing and Reporting on SonicWall Log Files as a Daily Task

Automating the process of importing and reporting on SonicWall log files as a Daily Task

3. Importing SonicWall Logs into WebSpy Vantage

WebSpy Vantage imports text log files from over 200 common network devices, into its own database format called a Storage. You can then use this Storage for analysis and reporting, you can  regardless of whether the original log file has been moved, archived or deleted. To import your SonicWall logs into WebSpy Vantage:

  1. In WebSpy Vantage, go to the Storages tab and click Import Logs
  2. Create a new storage and call it SonicWall, or anything else meaningful to you. Click Next.
  3. Select Local or Networked Files or Folders and click Next.
  4. Select the SonicWall loader and click Next.
  5. Click Add | Folder and select the folder where your SonicWall log files are stored. If you’re using the Fastvue Syslog Server above, the default folder is C:\ProgramData\Fastvue\Syslog Server\Logs\{sonicwall_host}. If you only plan to send SonicWall syslog messages to the Fastvue Syslog Server, you can add the root folder (C:\ProgramData\Fastvue\Syslog Server\Logs) and check the Add sub folders option to import logs from all SonicWall hosts. Ignore the last three pages of the Import Wizard and click OK to begin the import process.
  6. Your log files will start importing into your WebSpy Vantage Storage, and you can use this storage for Analysis and Reporting from this point on.

Your log files will start importing into your WebSpy Vantage Storage, and you can use this storage for Analysis and Reporting from this point on. You can even delete the original log file data once it has been imported.

Now that you have created a storage that is pointing to your SonicWall’s log data, it is a good idea to automate the process of importing new logs each night. To do this:

  1. In WebSpy Vantage, go to the Tasks tab and click New Task.
  2. Call the Task Daily Task and proceed through the short wizard to create a task with a Daily schedule running at 1am in the morning.
  3. Once the Task has been added, select the next task and click Add Action | Import new hits to existing storage
  4. Select the SonicWall Storage you created above and ensure Resume import from last position is selected. Click OK to add the action.

WebSpy Vantage will now automatically import logs new log files each night at 1am. As this storage will grow until you run out of disk space, it is a good idea to add a data retention policy using the Purge data from storage task action. To do this:

  1. Still on the Tasks tab, select the Task you created above and click Add Action | Purge Data from Storage
  2. Select your SonicWall storage and click Next. Select your desired data retention, such as Purge data older than 3 months. (The WebSpy Vantage storage will be about 80% of the size of your SonicWall syslog files).

WebSpy Vantage will now automatically purge data from your storage once it has imported new logs files.

Organization Import Directory Server Page

Entering Directory Server details

Organization Import LDAP Source - Quick Queries

Selecting LDAP Root DN and Search Query.

Organization Import - User Details Page

Using LDAP attributes for username aliasing and Web Module login names.

Organization Import Grouping Using the Departments Attribute

Grouping users by LDAP attributes and/or OUs.

Organization Import - Merging Page

LDAP import merging options.

Imported Organization showing Departments and Offices

A successfully imported Organization tree.

4. Import Your Organization

SonicWall logs authenticated usernames in the format domain\username. WebSpy Vantage can import information from Active Directory to alias these authenticated users into real names (first name last name), departments, offices and OUs.

To do this, go to the Organization tab and click Import Organization.

On the Directory Server page, select your directory type and server, along with a username (in domain\username format) and password to authenticate with your directory server, and click Test. Click Next after you have successfully connected to your directory server.

Select a Root Distinguished Name to search for users within (for example, ‘dc=mydomain, dc=com’) from the dropdown list. If your users are contained within a specific OU, select the ‘‘ button to select the OU in your directory.

The LDAP search query defaults to a query that returns ‘user accounts’. It’s important to note that WebSpy Vantage’s licensing is based on ‘number of users’, so if necessary, use the Quick Queries drop-down to change the LDAP search query and import a more specific set of user accounts, such as enabled users with an email address. WebSpy Vantage will import all users up to the license limit, which is unlimited during your trial. Click Next.

The User Details page defines how Vantage maps user objects in your Directory to authenticated usernames in your log files, as well as configuring user login names for the Web Module, the email address to send report notifications to, and the attribute to use to find a user’s manager.

If you are using Active Directory, you choose Use Active Directory Defaults. WebSpy Vantage will attempt to detect the name of your domain, and prefix this to all account names so that your authenticated usernames logged by SonicWall are correctly aliased to a user object in Active Directory.

If your domain prefix on user accounts is different to your computer network’s domain name, click Custom, then check the Prefix checkbox and enter the required domain prefix.

The Grouping page enables you to configure how you would like users grouped, such as by Departments, Offices, OUs etc. User Objects in Active Directory have a number of attributes, including department, office, description, company, and you can also place user objects in OU containers, and configure attributes on those containers. WebSpy Vantage can hook into any of these attributes to group your users for the purpose of reporting.

By default, there are two groups specified: Offices (using the ‘physicalDeliveryOfficeName’ attribute in Active Directory) and Departments (using the ‘department’ attribute in Active Directory).

If a user does not have one of these values populated in Active Directory, then they will be imported into the ‘Unknown’ department and office respectively. Alternatively, you can uncheck the Import Ungrouped Users option at the bottom of the Grouping page.

You can edit or delete these groups as necessary.

When adding or editing a group:

  1. First, enter the name of the Group into the Name field. This is up to you and should represent what the group is, such as ‘Departments’, ‘Locations’, ‘Business Centers’ etc. (Note, there are a few default Report Templates that use ‘Departments’ so use the word ‘Departments’ in one of your grouping levels utilize these reports).
  2. Enter the exact name of the attribute into the Attribute field. For example, enter ‘physicalDeliveryOfficeName’ to import the Office attribute from Active Directory. To import the name of an OU, use the attribute ‘OU’.

    By default, Active Directory Users and Computers hides the real attribute names. You can change this by selecting View | Advanced Features to show the Attribute Editor with real attribute names when editing a User or OU.

  3. Relative to user:
    Use this option if the attribute is located on the user object itself or on one of its parent OU containers. For example, if you are using the ‘Department’ attribute on the user objects, then select Relative to user and select User node. Or if your users are in a consistent OU structure, specify either Parent of the user node, or Node ‘n’ levels above to access the attribute on the appropriate parent OU container.
  4. Relative to root:
    Use this option to select OUs relative to the Root Distinguished Name that you specified on the Directory Server page. For example, if you have defined OUs for all your Offices directly underneath your Root DN, with user objects located anywhere underneath those OUs, then use the Immediate children of Root option, or the Children ‘n’ levels below Root option. For inconsistent OU structures, you can use the Single group from Root node option, and use the Import Organization wizard multiple times (usually configured with multiple task actions within a Task) with the Merge options set appropriately, to create groups from multiple Root DNs in your directory.
  5. Click OK to add your Grouping level.

Tip: Later, you’ll need to configure Web Module access permissions for people and/or groups. To create a default set of permissions that apply to your entire organization, create a top-level group using an attribute that everyone is a member of. For example, call the group ‘Domain’ and use the attribute ‘dc’.

Once you have specified all the Groups you would like to use in your reporting process, click Next.

The Merging page enables you to use the Import Organization wizard multiple times, and merge the results into your existing Organization structure. For example, first import your Organization from one domain (or one Root DN on your domain), with the Overwrite existing organization tree option set to create an initial Organization tree, then run the Import Organization wizard again to import your Organization from another domain (or a different Root DN on your domain) and merge the results into your existing Organization tree.

The Merge options enable to you to keep or remove users that can no longer be found in the directory, as well as keep or update existing user’s details. Use the ‘keep users / keep details’ options if importing from a different domain or root DN.

Note: When merging, only users that have previously been added from your LDAP/LDIF directory will be affected. Users that have been manually added will not be affected.

Click OK to complete the Import Organization wizard and begin the import. Once the import is complete you will see you the Organization tree displayed. You can use the View drop-down list at the top of the Organization tree to display your groups, or your manager/subordinate hierarchy.

You can automate the process of importing your Organization using the Tasks tab.

  1. Go to the Tasks tab and select or create new task that runs on the desired schedule.
  2. Click Add | Import Organization from LDAP
  3. Follow the wizard to configure the options for importing your organization as above.

Synchronize with the Web Module

You also need to synchronize the Organization configuration with the web module every time it changes.

  1. Go to the Tasks tab and select the task that contains your Import Organization from LDAP task action.
  2. Click Add | Synchronize Web Module
  3. Select your Web Module and click OK.
  4. Use the up / down arrows to move the Synchronize Web Module action underneath the Import Organization from LDAP task action so that it happens after the organization import.

Every time you make changes to your Organization, you need to syncronize this information with the Web Module

Web Module - Dynamic Reports

Viewing Reports in the Web Module

Reports - Viewing Static Reports

Viewing a Report Document (Web Document – HTML, Loose files format)

5. Run Reports

Now that you have automated the process of importing log files, it is time to run some reports!

  1. Select one of the available Report Template and click the Generate Report option to launch the Generate Report Wizard.
  2. On the Storages page, select the Storage you want to report on.
  3. On the Format page, select the type of document you want to create the report as (HTML, Word, PDF, CVS, Text).
  4. On the Publish page, you can customize the name of the report, prefix the name with today’s date, copy the report to a location and compress it using zip (useful when emailing the ‘HTML, Loose Files’ Report Format to someone as an attachment).
  5. On the Documents page, you can choose to split your report into multiple documents based on anything in your log files, and/or aliases you have created such as Categories, Departments, Subnets, and so on. Leave this option unchecked to create a single report document.
  6. On the Filters page, click Add | Date Filter and select the dates you want to report on. You can also include/exclude any values from your log files using Add | Field Value Filter.
  7. The Email page enables you to email the report to someone as an attachment (Set your SMTP options in Tools | Options | Email).
  8. Once the report has been generated, it will appear in the Report Manager at the bottom of the screen. Double-click the file to open and view the report.

  1. Select an available Report Template and click the Publish Report option to launch the Publish Report to Web Module wizard.
  2. On the Storages page, select the Storage you want to report on.
  3. On the Template page, select the Report Template that you want to generate (the template selected in step 1 will be automatically selected)
  4. On the Publish page, select the Web Module you want to publish the report to. If you would like the option to drill down past the bounds of the report when viewing the report in the Web Module, check the Publish the selected storages to enable the ‘further analysis feature’ option.
  5. On the Split and Permit page, select No Separation to create just a single report, and select Everyone as the permission. Splitting reports by groups or managers and giving permission to certain people requires first importing your Organization information from LDAP on the Organization tab. See below.
  6. On the Filters page, click Add | Date Filter and select the dates you want to report on.
  7. The Notification page can be used to send a notification email to everyone with permission to the report(s). For now, leave the option unchecked.
  8. Click OK to publish the report to the Web Module.
  9. Once the report has been published, log into the Web Module and go to the Reports tab. Click the report to open and view it.

You can automate the generation or publishing of Reports using the Tasks tab.

  1. Go to the Tasks tab and select or create new task that runs on the desired schedule.
  2. Click the Add button to add a new Task Action.
    • To generate reports as a document (Web, Word, PDF, CSV or Test), select the Run a Comparison or Analysis Report or Run a Trend Report action, depending on the type of report template you want to automate.
    • To publish reports to the Web Module, select the Publish Report to Web Module action.
  3. Follow the wizard presented to configure the options for generating or publishing your report on the schedule. Make sure you add a Relative Date Filter on the Filters page to avoid reporting on your entire storage everytime the task runs.
  4. Use the up / down arrows to move the report action underneath other actions that need to occur first, such as the import of log files, or the importing your organization from LDAP (see below).

You may also like to see our article and video on Distributing web activity reports to managers using WebSpy Vantage.

Enjoy!

For further information on getting started and configuring WebSpy Vantage Ultimate, please see our Getting Started Guide, the Vantage Ultimate Documentation, or visit our Support Center.

Getting Started Guide
Documentation
Support Center