Solved: I'm indexing thousands of events from Sonicwall in...

grantsmiley · ‎09-30-2015

I have a new Sonicwall indexing to Splunk 6.3. I have hundreds of thousands of events coming in from the Sonicwall every hour, however, the summary dashboards are all returning no data. My Sonicwall is sending very few events with a TID or template ID, and they're almost all ID 555. It appears most of the dashboards want to filter on TID, and there simply aren't any. I'm using the default syslog format on the Sonicwall, "Local Use 0" facility. I've tried with and without the "Override Syslog Settings with Reporting Software Settings". I'd like to keep that on as we have Sonicwall Analyzer set up as well. Is there another setting I'm missing in the firewall to get this to work?

grantsmiley · ‎02-05-2017

It turned out this was related to a customization that was made in the SonicWALL appliance itself. Reset it to factory defaults for logging and it worked fine

View solution in original post

chumneysplunk · ‎02-19-2017

I had a similar issue. I have syslog coming into splunk via UDP 514.

I was not getting any data into the Sonicwall Analytics App.

I found that the external collector was not configured.

Once I made sure Splunk was listening on port 2055, I then proceeded to setup the External Collector to use Splunk. All the data was visible via the Sonicwall Analytics app Dashboard(s) after the External Collector was setup.

grantsmiley · ‎02-05-2017

It turned out this was related to a customization that was made in the SonicWALL appliance itself. Reset it to factory defaults for logging and it worked fine

ConnorG · ‎07-18-2017

Was this done by importing the default logging levels? Or is there another setting to reset that I'm missing here?

I'm indexing thousands of events from Sonicwall in Splunk 6.3, but why are summary dashboards not showing any data?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!