Configure Sophos XG Firewall to send logs to Arctic Wolf

You can configure the Sophos XG Firewall® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

Configure log forwarding

Sign in to the Sophos Enterprise Console with administrator permissions.
Click System services > Log settings.
Click Add.
Configure these settings:
Note:
Do not use secure log transmission because it renders the syslog data unusable to Arctic Wolf.
- Name — Enter a name for the syslog server.
- IP address / Domain — Enter your Arctic Wolf Sensor IP address.
- Secure log transmission — Clear the checkbox.
- Port — Enter 514.
- Facility — Keep the default option.
- Severity level — Select Informational.
- Format — Select Standard syslog protocol.
Click Save.
Navigate to the Log settings section.
In the Suppress logs column, make sure that Firewall is not selected.
In the column with the name of the syslog server that you configured earlier, select all logs.

Sign in to the Arctic Wolf Unified Portal.
In the navigation menu, click Tickets & Alerts > All Tickets.
Perform the appropriate action, depending on if you are:
- A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
- An existing customer — Click Open a New Ticket.
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter Syslog changes.
- Related ticket (optional) — Keep empty.
- Message — Enter this information for your Concierge Security® Team (CST):
  - Confirmation that you completed the steps in this configuration guide.
  - The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
  - The IP address, timezone, and device type for all sources that you are forwarding.
  - Questions or comments that you have.
Click Send Message.

Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.