In order for live syslog data to be imported, ensure:
- SonicWall Syslog is configured correctly:
Configure SonicWall to send Network and Web Traffic events via Syslog to the Fastvue Reporter machine. Please see our Getting Started Page for information on how to do this for your version of SonicOS.
- The logging level is set to 'Inform' and Redundancy Interval Filter is set to 0:
Go to Log | Settings and ensure the global logging level is set to Inform. Expand Log | Syslog, then click the 'Configure' button for the 'Syslog Website Accessed' events. Make sure the 'Report Events via Syslog' option is set to 0 seconds, and that the events are set to 'Inform'.
- SonicWall Content Filtering Service (CFS) is active:
Clients on your network are actively browsing the web and being filtered by SonicWall. For SonicWall to log web traffic events, ensure CFS is correctly licensed and enabled, and that you have policies in place that use CFS (blocking/allowing on categories).
- Syslog Server is the Fastvue Server's IP Address:
You have specified the Fastvue Reporter server as a syslog server in Log | Syslog | Syslog Servers. Double-check the Fastvue server's IP address by running ipconfig at the command line.
- Syslog protocol is UDP and port is 514 or unused:
In your SonicWall's syslog settings, ensure you're using the syslog port 514, or another unused port, and that the protocol is set to UDP.
- Fastvue Source Settings are correct:
You have added the SonicWall as a Source in Fastvue Reporter (Settings | Sources) using the correct name or IP address and port (e.g 514). Ensure the IP address is the interface that the Fastvue Server is actually connected to (e.g. If the Fastvue server is in your internal network, specify the IP for SonicWall's internal interface).
- No firewall or antivirus issues:
There is nothing blocking port 514 on the Fastvue Reporter machine (such as Windows Firewall), or in between the Fastvue Reporter machine and the SonicWall. See our article on Opening the Syslog Port in Windows Firewall for more information.
- No Port Conflict:
There is no port conflict on port 514 (or your specified port) with another application or service on the Fastvue Reporter machine (see below).
- No routing issues between SonicWall and Fastvue:
The Fastvue Server and the SonicWall source are in the same subnet, or there is a router between the subnets configured to allow syslog traffic through. If there is a router between the two servers, careful attention needs to be paid to how that router handles the traffic, whether there's a NAT involved, whether that router is the default gateway for both machines etc. If the Fastvue server and the SonicWall are separted by the public Internet, configure a Site-to-Site VPN between the networks so that syslog traffic can traverse to between networks reliably and securely.
- Syslog Server Profile is correct (SonicOS 6.2.7 and above)
Go to Log Settings | Syslog and edit your Fastvue Syslog server. Ensure the Event Profile is set to 0, unless you have specifically changed certain log events to use a different syslog profile in Log | Base Setup.
Troubleshooting Port Conflicts
To find out whether there is a port conflict on the Fastvue Reporter machine for port 514, open a command prompt and enter:
netstat -ano | find "514"This will list all the processes on the machine using port 514 (it may also include other processes that have a substring of 514). Note the Process ID, and then open Task Manager and go to the Services tab. You should be able to identify the other process by looking for the matching Process ID (PID).
If there is another process listening on Port 514, the easiest solution is to change the port being used both in the syslog settings on your SonicWALL (Logs | Syslog), and in the source in Fastvue Reporter (Settings | Sources). As an example, try port 49514.
Further TroubleshootingIf all of the above checks out, and no data is being received by Fastvue Reporter, first validate that SonicWALL is logging Website hits as expected.
1. In SonicWALL, click on *Dashboard | Log Monitor* or *Log | Log Monitor*.
2. Add a filter for *Priority | Inform* and *Category | Log*.
3. Apply the filter and you should be able to see messages being logged.
4. If the messages you expect to see are not being logged, there is an Issue with CFS in SonicWALL or how the policy for CFS is applied.
5. In this instance, it would be best to follow through with a SonicWALL support request and go through the Log Monitor in SonicWALL to show the issue for resolution.
If all of the above checks out, and no data is being received by Fastvue Reporter, you can enable full diagnostic logging to log all syslog messages received (regardless of whether they are processed by Fastvue Reporter) to the 'Dashboard.log' file (location shown in Settings | Diagnostic).
- Go to Settings | Diagnostic and increase the logging level to Full.
- Let the software run for five minutes, and then zip and upload the Dashboard.log file to http://www.fastvue.co/upload. The log should contain some diagnostic information to help us troubleshoot this for you.
- As this logging level will grow the Dashboard.log significantly over time, set the logging level back to Normal.