Configure WatchGuard log forwarding using Policy Manager

You can configure WatchGuard® Firebox to send the necessary logs to Arctic Wolf® using Policy Manager.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to Policy Manager with administrator permissions

Add syslog servers

  1. Sign in to Policy Manager.
  2. Click Setup > Logging.
  3. In the Logging Setup dialog, select the Send log messages to these syslog servers checkbox.
  4. Click Add.
  5. In the Configure Syslog dialog, in the IP Address field, enter your Arctic Wolf Sensor IP address.

    The Port field automatically populates with the default syslog server port, 514.

  6. Configure these settings:
    • Log Format — Select either Syslog or IBM LEEF.
    • Description — (Optional) Enter a description for the server.
    • The serial number of the device — (Optional) To include the serial number of the Firebox in the log message details, select the checkbox.
    • The serial number of the device — To include the serial number of the Firebox in the log message details, select the checkbox.
    • (IBM LEEF format only) The syslog header — Select the checkbox.
    • Syslog Settings — For each type of log message, select a syslog facility:
      • Local0 — Select for high-priority log messages. For example, alarms.
      • Local1 – Local7 — Select for lower priority log messages.
  7. In the Configure Syslog dialog, click OK.
  8. In the Logging Setup dialog, click OK.

Save the configuration file to the Firebox

  1. In Policy Manager, click File > Save > To Firebox.
  2. In the Save to Firebox dialog, in the IP Address or Name field, enter or select an IP address or name.
    Note: If you use a name, the name must resolve through DNS. If you enter an IP address, include all numbers and periods.
  3. In the Administrator User Name and Administrator Passphrase fields, enter the credentials for a device administrator for a read-write user account.
  4. In the Authentication Server list, select the correct authentication server for the user account that you specified.
  5. If you use an Active Directory (AD) server for authentication, in the Domain field, enter the domain name of your AD server.
  6. Click OK.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.