Configure Syslog Server Settings
Syslog is a log interface developed for UNIX but also used by a number of computer systems. Your Firebox can send log messages to a WatchGuard Log Server and a syslog server at the same time, or send log messages to only one or the other. Syslog log messages are not encrypted. We recommend that you do not select a syslog host on the external interface.
You can configure your Firebox to send log messages to a syslog server or a QRadar server. Syslog log messages can be encoded in two log formats: syslog format or IBM LEEF format. To send log messages to a syslog server, select the syslog log format. To send log messages to a QRadar server, select the IBM LEEF format.
When you configure the syslog settings, you can specify which port to use for your server. For a syslog server, you can configure the device to send the log message time stamp or device serial number to the syslog server. For a QRadar server, you can configure the device to send the device serial number or the syslog header to the QRadar server. For both server types, you can specify which syslog facility to send to the server for each log type. The syslog facility refers to one of the fields in the syslog packet and to the file syslog sends a log message to. The time stamp appears in the time zone specified on your device.
When you configure the settings for the server, you specify the syslog facility to use for your log messages. The syslog facility refers to one of the fields in the syslog packet and to the file where syslog sends a log message. For high-priority syslog messages, such as alarms, select Local0. To assign priorities for other types of log messages (lower numbers have greater priority), select Local1–Local7. For more information on logging facilities, see your syslog documentation.
Only log messages that include the msg-id field are sent to your QRadar server. These log message types are included:
When you select to send log messages to your QRadar server, the log messages include the LEEF header, with these details:
- LEEF version
- Vendor Name
- Product Name
- Product Version
- Event ID
- LEEF version — LEEF: 1.0
- Vendor Name — WatchGuard
- Product Name — XTM
- Product Version — 11.9.B444050
- Event ID — 1AFF000B (message ID)
If you select to include the syslog header in the log messages that you send to QRadar, the host name and time stamp are not included in the log messages.
For information about the different types of messages, see Types of Log Messages.
Before you configure your device to send log messages to a syslog or QRadar server, you must have a syslog or QRadar server configured, operational, and ready to receive log messages.
To configure your device to send log messages to a syslog or QRadar server:
- Select System > Logging.
The Logging page appears.
- Select the Syslog Server tab.
- Select the Send log messages to the syslog server at this IP address check box.
- In the IP Address text box, type the IP address for the syslog or QRadar server.
- In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
- From the Log Format drop-down list, select Syslog or IBM LEEF.
The details available to include in the log messages depend on the log format you select.
- (Syslog only) To include the date and time that the event occurs on your Firebox in the log message details, select the The time stamp check box.
- To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
- (QRadar only) To include the syslog header in the log message details, select the The syslog header check box.
- In the Syslog Settings section, for each type of log message, select a syslog facility from the drop-down list.
If you select the IBM LEEF log format, you must select the The syslog header check box before you can select the syslog facility for the log message types.
- For high-priority syslog messages, such as alarms, select Local0.
- To assign priorities for other types of log messages (lower numbers have greater priority), select Local1–Local7.
- To not send details for a message type, select NONE.
- Click Save.
Because syslog traffic is not encrypted, syslog messages that are sent through the Internet decrease the security of the trusted network. It is more secure if you put your syslog host on your trusted network.