SonicWall Elastic Agent Syslog Elastic Integration Not Passing Data to Security Onion/Elastic

[sysadmin-sec]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

16

Storage for /

200 GB

Storage for /nsm

200 GB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello,

I am new to Security Onion and am hoping to use it to ingest Syslog data from my SonicWall OS 7 firewall. I have followed the following resources while configuring this:

• https://www.youtube.com/watch?v=aoH8qZwAxek (I used the SonicWall integration instead of PFSense)
• https://www.youtube.com/watch?v=Jb_sb_vLrB0 (Initial setup of the environment)
• VLAN 4095 for VM Install #7185
• https://www.elastic.co/docs/current/integrations/sonicwall_firewall
• https://github.com/elastic/integrations/blob/main/packages/sonicwall_firewall/_dev/build/docs/README.md
• There were a few similar posts on the forums, but they were unresolved.

I am attempting to use the Elastic SonicWall Firewall Syslog Integration, as recommended by the Security Onion tutorials. I isolated this to be a configuration issue on the Security Onion server. I have the SonicWall firewall configured to send Syslog data and confirmed it works via a POC Ubuntu VM running rSyslog. rSyslog captured all of the intended data. However, when querying from Elastic or Security Onion, I am unable to find any data from the SonicWall firewall.

I made the following changes under Administration/Configuration/Firewall

• hostgroups/customhostgroup0/IP of SonicWall firewall
• hostgroups/syslog/IP of SonicWall firewall
• portgroups/customportgroup0/udp/UDP port for Syslog on SonicWall firewall
• role/standalone/chain/INPUT/hostgroups/customhostgroup0/portgroups/customportgroup0

I synchronized the grid after making the changes.

Here is how I configured my SonicWall Elastic Integration:

As requested, here is some additional information regarding my environment:

•  SALT Status: Do you get any failures when you run "sudo salt-call state.highstate"? -->
• Network Traffic Collection: Are you collecting network traffic from a tap or span port? --> I do not believe I have the second NIC working correctly on my vSphere VM.

 
Has anyone been successful in configuring the SonicWall Syslog integration in their environment? Any tips or guidance would be greatly appreciated, this looks like such a useful tool! Please let me know what additional information to provide.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

Try using a different port, rather than 514 -- that's configured by default for the standard syslog listener.

[sysadmin-sec]

Thank you so much, I really appreciate it!! That did the trick, I never thought it would be that simple. It appears that Syslog traffic is populating in the Elastic dashboards and in Security Onion. I think that changing the port number was the answer.