Syslog is a log interface developed for UNIX but also used by a number of computer systems. Your Firebox or XTM device can send log messages to a WatchGuard Log Server and a syslog server at the same time, or send log messages to only one or the other. Syslog log messages are not encrypted. We recommend that you do not select a syslog host on the external interface.
You can configure your Firebox or XTM device to send log messages to a syslog server or a QRadar server. Syslog log messages can be encoded in two log formats: syslog format or IBM LEEF format. To send log messages to a syslog server, select the syslog log format. To send log messages to a QRadar server, select the IBM LEEF format.
When you configure the syslog settings, you can specify which port to use for your server. For a syslog server, you can configure the device to send the log message time stamp or device serial number to the syslog server. For a QRadar server, you can configure the device to send the device serial number or the syslog header to the QRadar server. For both server types, you can specify which syslog facility to send to the server for each log type. The syslog facility refers to one of the fields in the syslog packet and to the file syslog sends a log message to. The time stamp appears in the time zone specified on your device.
When you configure the settings for the server, you specify the syslog facility to use for your log messages. The syslog facility refers to one of the fields in the syslog packet and to the file where syslog sends a log message. For high-priority syslog messages, such as alarms, select Local0. To assign priorities for other types of log messages (lower numbers have greater priority), select Local1–Local7. For more information on logging facilities, see your syslog documentation.
Only log messages that include the msg-id field are sent to your QRadar server. These log message types are included:
When you select to send log messages to your QRadar server, the log messages include the LEEF header, with these details:
If you select to include the syslog header in the log messages that you send to QRadar, the host name and time stamp are not included in the log messages.
For information about the different types of messages, see Types of Log Messages.
Before you configure your device to send log messages to a syslog or QRadar server, you must have a syslog or QRadar server configured, operational, and ready to receive log messages.
To configure your device to send log messages to a syslog or QRadar server:
Because syslog traffic is not encrypted, syslog messages that are sent through the Internet decrease the security of the trusted network. It is more secure if you put your syslog host on your trusted network.
About Logging, Log Files, and Notification
Types of Log Messages