Getting Data In

Sonicwall syslogs and Splunk


Does anyone out there use Splunk to collect Sonicwall Syslogs? We only have the 2GB splunk license and in hardly touch that. When I turn on the Sonicwall it overloads Splunk with logs. So I'm looking for any recommendations that anyone would have to quiet this thing down. I really only care about errors, I'm not doing any log collecting for compliance or anything like that. I just like to know when things go wrong.

Tags (1)
0 Karma


I was able to figure it out, in there the log settings there is a preconfigured setting for low logging that works perfect.


While I haven't used that myself too much yet, if you know how to distinguish an error event you'd like to index from a non-error event you'd like to discard you can set up regex-based filtering in props.conf/transforms.conf like this:

TRANSFORMS-filter = setnull,filter_for_errors

DEST_KEY = queue
FORMAT = nullQueue

REGEX = some regular expression identifying events you want to keep
DEST_KEY = queue
FORMAT = parsingQueue
0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...