WatchGuard Logs

Updated Nov 10, 2023

Configure WatchGuard log forwarding using Fireware Web UI

You can configure WatchGuard® Firebox to send the necessary logs to Arctic Wolf® for security monitoring security using Fireware Web UI.

Sign in to the Fireware Web UI with administrator permissions.
Click System > Logging.
Click the Syslog Server tab.
Select the Send log messages to these syslog servers checkbox.
Click Add.
In the Syslog Server dialog, in the IP Address field, enter the IP address of your Arctic Wolf Sensor.

The Port field automatically populates with the default syslog server port, 514.
Configure these settings:
- Log Format — Select either Syslog or IBM LEEF.
- Description — (Optional) Enter a description for the server.
- The serial number of the device — (Optional) To include the serial number of the Firebox in the log message details, select the checkbox.
- (Optional) The serial number of the device — To include the serial number of the Firebox in the log message details, select the checkbox.
- (IBM LEEF format only) The syslog header — Select the checkbox.
- Syslog Settings — For each type of log message, select a syslog facility:
  - Local0 — Select for high-priority log messages. For example, alarms.
  - Local1 – Local7 — Select for lower priority log messages.
Click Save.

Sign in to the Arctic Wolf® Unified Portal.
Click Help > Open a New Ticket.
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter Syslog changes.
- Related ticket (optional) — Keep blank.
- Message — Enter this information for your Concierge Security® Team (CST):
  - Confirmation that you completed the steps in this configuration guide.
  - The IP address or hostname you used during the configuration.
  - Any questions or comments that you have.
Click Send Message.

Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.