Configure Syslog Server Settings

Syslog is a log interface developed for UNIX but also used by a number of computer systems. Your Firebox or XTM device can send log messages to a WatchGuard Log Server and a syslog server at the same time, or send log messages to only one or the other. Syslog log messages are not encrypted. We recommend that you do not select a syslog host on the external interface.

You can configure your Firebox or XTM device to send log messages to a syslog server or a QRadar server. Syslog log messages can be encoded in two log formats: syslog format or IBM LEEF format. To send log messages to a syslog server, select the syslog log format. To send log messages to a QRadar server, select the IBM LEEF format.

When you configure the syslog settings, you can specify which port to use for your server. For a syslog server, you can configure the device to send the log message time stamp or device serial number to the syslog server. For a QRadar server, you can configure the device to send the device serial number or the syslog header to the QRadar server. For both server types, you can specify which syslog facility to send to the server for each log type. The syslog facility refers to one of the fields in the syslog packet and to the file syslog sends a log message to. The time stamp appears in the time zone specified on your device.

When you configure the settings for the server, you specify the syslog facility to use for your log messages. The syslog facility refers to one of the fields in the syslog packet and to the file where syslog sends a log message. For high-priority syslog messages, such as alarms, select Local0. To assign priorities for other types of log messages (lower numbers have greater priority), select Local1Local7. For more information on logging facilities, see your syslog documentation.

Only log messages that include the msg-id field are sent to your QRadar server. These log message types are included:

When you select to send log messages to your QRadar server, the log messages include the LEEF header, with these details:

For example:

If you select to include the syslog header in the log messages that you send to QRadar, the host name and time stamp are not included in the log messages.

For information about the different types of messages, see Types of Log Messages.

Before you configure your device to send log messages to a syslog or QRadar server, you must have a syslog or QRadar server configured, operational, and ready to receive log messages.

To configure your device to send log messages to a syslog or QRadar server:

  1. Select System > Logging.
    The Logging page appears.
  2. In the Syslog Server section, select the Send log messages to the syslog server at this IP address check box.
  3. In the IP Address text box, type the IP address for the syslog or QRadar server.
  4. In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
  5. From the Log Format drop-down list, select Syslog or IBM LEEF.
    The details available to include in the log messages depend on the log format you select.

Screen shot of the Syslog Server settings

The Syslog Settings for the syslog log format.

Screen shot of the Syslog Server settings for the IBM LEEF log format

The Syslog Settings for the IBM LEEF log format.

  1. (Syslog only) To include the date and time that the event occurs on your XTM device in the log message details, select the The time stamp check box.
  2. To include the serial number of the XTM device in the log message details, select the The serial number of the device check box.
  3. (QRadar only) To include the syslog header in the log message details, select the The syslog header check box.
  4. In the Syslog Settings section, for each type of log message, select a syslog facility from the drop-down list.
    If you select the IBM LEEF log format, you must select the The syslog header check box before you can select the syslog facility for the log message types.
  5. Click Save.

Because syslog traffic is not encrypted, syslog messages that are sent through the Internet decrease the security of the trusted network. It is more secure if you put your syslog host on your trusted network.

See Also 

About Logging, Log Files, and Notification

Traffic Monitor

Types of Log Messages

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base