I have a new Sonicwall indexing to Splunk 6.3. I have hundreds of thousands of events coming in from the Sonicwall every hour, however, the summary dashboards are all returning no data. My Sonicwall is sending very few events with a TID or template ID, and they're almost all ID 555. It appears most of the dashboards want to filter on TID, and there simply aren't any. I'm using the default syslog format on the Sonicwall, "Local Use 0" facility. I've tried with and without the "Override Syslog Settings with Reporting Software Settings". I'd like to keep that on as we have Sonicwall Analyzer set up as well. Is there another setting I'm missing in the firewall to get this to work?
It turned out this was related to a customization that was made in the SonicWALL appliance itself. Reset it to factory defaults for logging and it worked fine
I had a similar issue. I have syslog coming into splunk via UDP 514.
I was not getting any data into the Sonicwall Analytics App.
I found that the external collector was not configured.
Once I made sure Splunk was listening on port 2055, I then proceeded to setup the External Collector to use Splunk. All the data was visible via the Sonicwall Analytics app Dashboard(s) after the External Collector was setup.
It turned out this was related to a customization that was made in the SonicWALL appliance itself. Reset it to factory defaults for logging and it worked fine
Was this done by importing the default logging levels? Or is there another setting to reset that I'm missing here?