Contents

Related Topics

Configure Syslog Server Settings

Syslog is a log interface developed for UNIX but also used by a number of computer systems. Your Firebox can send log messages to a WatchGuard Log Server and a syslog server at the same time, or send log messages to only one or the other. Syslog log messages are not encrypted. We recommend that you do not select a syslog host on the external interface.

You can configure your Firebox to send log messages to a syslog server or a QRadar server. Syslog log messages can be encoded in two log formats: syslog format or IBM LEEF format. To send log messages to a syslog server, select the syslog log format. To send log messages to a QRadar server, select the IBM LEEF format.

When you configure the syslog settings, you can specify which port to use for your server. For a syslog server, you can configure the device to send the log message time stamp or device serial number to the syslog server. For a QRadar server, you can configure the device to send the device serial number or the syslog header to the QRadar server. For both server types, you can specify which syslog facility to send to the server for each log type. The syslog facility refers to one of the fields in the syslog packet and to the file syslog sends a log message to. The time stamp appears in the time zone specified on your device.

When you configure the settings for the server, you specify the syslog facility to use for your log messages. The syslog facility refers to one of the fields in the syslog packet and to the file where syslog sends a log message. For high-priority syslog messages, such as alarms, select Local0. To assign priorities for other types of log messages (lower numbers have greater priority), select Local1Local7. For more information on logging facilities, see your syslog documentation.

Only log messages that include the msg-id field are sent to your QRadar server. These log message types are included:

  • Traffic
  • Alarm
  • Event
  • Diagnostics

When you select to send log messages to your QRadar server, the log messages include the LEEF header, with these details:

  • LEEF version
  • Vendor Name
  • Product Name
  • Product Version
  • Event ID

For example:

  • LEEF version — LEEF: 1.0
  • Vendor Name — WatchGuard
  • Product Name — Firebox
  • Product Version — 12.1.B548280
  • Event ID — 1AFF000B (message ID)

If you select to include the syslog header in the log messages that you send to QRadar, the host name and time stamp are not included in the log messages.

For information about the different types of messages, see Types of Log Messages.

Before you configure your device to send log messages to a syslog or QRadar server, you must have a syslog or QRadar server configured, operational, and ready to receive log messages.

Because syslog traffic is not encrypted, syslog messages that are sent through the Internet decrease the security of the trusted network. It is more secure if you put your syslog host on your trusted network.

To configure your device to send log messages to a syslog or QRadar server, from Fireware Web UI:Closed
  1. Select System > Logging.
    The Logging page appears.
  2. Select the Syslog Server tab.
  3. Select the Send log messages to the syslog server at this IP address check box.
  4. In the IP Address text box, type the IP address for the syslog or QRadar server.
  5. In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
  6. From the Log Format drop-down list, select Syslog or IBM LEEF.
    The details available to include in the log messages depend on the log format you select.

Screen shot of the Syslog Server settings

The Syslog Settings for the syslog log format.

Screen shot of the Syslog Server settings for the IBM LEEF log format

The Syslog Settings for the IBM LEEF log format.

  1. (Syslog only) To include the date and time that the event occurs on your Firebox in the log message details, select the The time stamp check box.
  2. To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
  3. (QRadar only) To include the syslog header in the log message details, select the The syslog header check box.
  4. In the Syslog Settings section, for each type of log message, select a syslog facility from the drop-down list.
    If you select the IBM LEEF log format, you must select the The syslog header check box before you can select the syslog facility for the log message types.
    • For high-priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages (lower numbers have greater priority), select Local1Local7.
    • To not send details for a message type, select NONE.
  5. Click Save.
To configure your device to send log messages to a syslog or QRadar server, from Policy Manager:Closed
  1. Select Setup > Logging.
    The Logging Setup dialog box appears.

Screen shot of the Logging Setup dialog box

  1. Select the Send log messages to this syslog server check box.
  2. In the IP address text box, type the IP address of the syslog or QRadar server.
  3. (Optional) To change the port for the server, in the Port text box, type or select the new port number.
    The default port is 514.
  4. From the Log format drop-down list, select Syslog or IBM LEEF.
  5. Click Configure.
    The Configure Syslog dialog box appears. The options included in the dialog box depend on the log format you selected.

Screen shot of the Configure Syslog dialog box for syslog log format

The Configure Syslog dialog box for the syslog log format.

Screen shot of the Configure Syslog dialog box for IBM LEEF log format

The Configure Syslog dialog box for the IBM LEEF log format.

  1. (Syslog only) To include the time stamp information from your Firebox in the log message details, select the The time stamp check box.
  2. To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
  3. (QRadar only) To include the syslog header in the log message details, select the The syslog header check box.
  4. For each type of log message, select a syslog facility:
    • For high-priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages (lower numbers have greater priority), select Local1Local7.
    • To not send details for a log message type, select NONE.

For information about the different types of messages, see Types of Log Messages.

For more information on logging facilities, see your syslog documentation.

  1. To restore the default settings for syslog, click Restore Defaults.
  2. Click OK to close the Configure Syslog dialog box.
  3. Click OK to close the Logging Setup dialog box.
  4. Save the Configuration File.

See Also 

About Logging, Log Files, and Notification

Traffic Monitor

Types of Log Messages

Add a Log Server

Include Performance Statistics in Log Messages

Set the Diagnostic Log Level

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.