Configure Syslog Server Settings
Syslog is a log interface developed for UNIX but also used by a number of computer systems. Your Firebox can send log messages to a WatchGuard Log Server and a syslog server at the same time, or send log messages to only one or the other. Syslog log messages are not encrypted. We recommend that you do not select a syslog host on the external interface.
From Policy Manager, you can configure your Firebox to send log messages to a syslog server or a QRadar server. Syslog log messages can be encoded in two log formats: syslog format or IBM LEEF format. To send log messages to a syslog server, select the syslog log format. To send log messages to a QRadar server, select the IBM LEEF format.
When you configure the syslog settings, you can specify which port to use for your server. For a syslog server, you can configure the device to send the log message time stamp or device serial number to the syslog server. For a QRadar server, you can configure the device to send the device serial number or the syslog header to the QRadar server. For both server types, you can specify which syslog facility to send to the server for each log type. The syslog facility refers to one of the fields in the syslog packet and to the file syslog sends a log message to. The time stamp appears in the time zone specified on your device.
Only log messages that include the msg-id field are sent to your QRadar server. These log message types are included:
When you select to send log messages to your QRadar server, the log messages include the LEEF header, with these details:
- LEEF version
- Vendor Name
- Product Name
- Product Version
- Event ID
- LEEF version — LEEF: 1.0
- Vendor Name — WatchGuard
- Product Name — XTM
- Product Version — 11.9.B444050
- Event ID — 1AFF000B (message ID)
If you select to include the syslog header in the log messages that you send to QRadar, the host name and time stamp are not included in the log messages.
To configure your device to send log messages to a syslog or QRadar server:
Select Setup > Logging.
The Logging Setup dialog box appears.
- Select the Send log messages to this syslog server check box.
- In the IP address text box, type the IP address of the syslog or QRadar server.
- (Optional) To change the port for the server, in the Port text box, type or select the new port number.
The default port is 514.
- From the Log format drop-down list, select Syslog or IBM LEEF.
- Click Configure.
The Configure Syslog dialog box appears. The options included in the dialog box depend on the log format you selected.
- (Syslog only) To include the time stamp information from your Firebox in the log message details, select the The time stamp check box.
- To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
- (QRadar only) To include the syslog header in the log message details, select the The syslog header check box.
- For each type of log message, select a syslog facility:
- For high-priority syslog messages, such as alarms, select Local0.
- To assign priorities for other types of log messages (lower numbers have greater priority), select Local1–Local7.
- To not send details for a log message type, select NONE.
For information about the different types of messages, see Types of Log Messages.
For more information on logging facilities, see your syslog documentation.
- To restore the default settings for syslog, click Restore Defaults.
- Click OK to close the Configure Syslog dialog box.
- Click OK to close the Logging Setup dialog box.
- Save the Configuration File.