Skip to content
Find out how we support MDR.

SonicWall SonicOS

Log collector

The SonicOS security appliance can send event messages to the Sophos Data Lake.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure SonicOS to send data to the log collector.


A VM can host integrations for multiple products, but can't host more than one integration of the same product.

Add an integration

To integrate SonicOS with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click SonicWall SonicOS.

    If you've already set up connections to SonicOS, you see them here.

  3. Click Add integration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from SonicOS. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the VM.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure SonicOS to send data to it.

  5. Select a Protocol.

  6. Complete any remaining fields on the form.
  7. Click Save.

    We create the integration and it appears in your list. It might take a few minutes for the OVA file to be ready.

Deploy the VM


The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure SonicOS

You now configure SonicOS to send data to us.

To configure syslog settings on your firewall, do as follows:


If you use SonicWall's Global Management System (GMS) to manage your firewall, you can't change the syslog format (Default) or the syslog ID (Firewall). You can change the other settings. The following instructions don't use GMS.

  1. Go to Log > Syslog.
  2. Select Syslog Servers and click Add.
  3. Enter the address details for your VM.
  4. In Syslog Format choose ArcSight. The Sophos log collector receives ArcSight CEF format alerts.

    When you select Arcsight, the Configure icon becomes active.

  5. Click the Configure icon. The ArcSight CEF fields Settings configuration window appears.

  6. Select the ArcSight options that you want to log. In most cases, this is All. To select all options, click Select All.
  7. Click Save.
  8. In the Syslog ID box, enter the syslog ID that you want.

    A Syslog ID field is included in all generated messages, prefixed by id=.

    For example, for firewall, the default value, all syslog messages include id=firewall. You can set an ID consisting of 0 to 32 letters, numbers, and underscores.


    When Override Syslog Settings with Reporting Software Settings option is turned on, the Syslog ID field is fixed to "Firewall". You can't change it.

  9. Click Accept at the top of the page.

  10. Go to Log > Settings to configure which alerts are forwarded to Sophos.
  11. In Logging Level you must select Warning.

    This filters out lower priority events.

  12. On the Log > Settings page you can also filter events according to their Event Attributes.

    1. Select a category and click Configure.
    2. In Edit Log Category, select the syslog checkbox for specific categories.

      Your changes apply to all groups and events in the selected category.

More information