Configure a syslog server to send logs to Arctic Wolf

You can configure your syslog server to send the necessary logs to Arctic Wolf®.

Note: This is a generic configuration. Only use this configuration if your product is not listed on Syslog Integrations.

Arctic Wolf supports raw log ingestion for syslog integrations, but we do not currently provide security monitoring for all log types. For example, non-RFC logs.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • TLS version 1.2
    Note: Arctic Wolf supports TLS version 1.2 for encrypted syslog data sent to the Arctic Wolf Sensor. If your log source requires older cipher suites, contact your Concierge Security® Team (CST) to discuss an exception.
  • A certificate, if you are configuring encryption for syslog forwarding. Contact your CST for more information.
  • A syslog server

Configure log forwarding

  1. To enable Arctic Wolf monitoring on your syslog server, configure these settings:
    • IP address — Enter your Arctic Wolf Sensor IP address.
    • Protocol — Select TCP or UDP.
    • Port — Enter 514.
    • Facility — Keep the default settings.
    • Syslog format — Keep the default settings.
    • Encrypted syslog — Select Port 6514.
  2. Optional: Some syslog servers require additional configuration steps.

    For more information, see Log sources with syslog support.

    Note: Contact your CST for assistance.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.