WatchGuard Logs
Updated Nov 10, 2023Configure WatchGuard log forwarding using Policy Manager
You can configure WatchGuard® Firebox to send the necessary logs to Arctic Wolf® for security monitoring security using Policy Manager.
Requirements
- An activated Arctic Wolf Sensor
- Access to Policy Manager with administrator permissions
Steps
- Add syslog servers.
- Save the configuration file.
- Provide your WatchGuard Firebox information to Arctic Wolf.
Step 1: Add syslog servers
-
Sign in to Policy Manager.
-
Click Setup > Logging.
-
In the Logging Setup dialog, select the Send log messages to these syslog servers checkbox.
-
Click Add.
-
In the Configure Syslog dialog, in the IP Address field, enter the IP address of your Arctic Wolf Sensor.
The Port field automatically populates with the default syslog server port,
514
. -
Configure these settings:
- Log Format — Select either Syslog or IBM LEEF.
- Description — (Optional) Enter a description for the server.
- The serial number of the device — (Optional) To include the serial number of the Firebox in the log message details, select the checkbox.
- (Optional) The serial number of the device — To include the serial number of the Firebox in the log message details, select the checkbox.
- (IBM LEEF format only) The syslog header — Select the checkbox.
- Syslog Settings — For each type of log message, select a syslog facility:
- Local0 — Select for high-priority log messages. For example, alarms.
- Local1 – Local7 — Select for lower priority log messages.
-
In the Configure Syslog dialog, click OK.
-
In the Logging Setup dialog, click OK.
Step 2: Save the configuration file to the Firebox
-
In Policy Manager, click File > Save > To Firebox.
-
In the Save to Firebox dialog, in the IP Address or Name field, enter or select an IP address or name.
Note: If you use a name, the name must resolve through DNS. If you enter an IP address, include all numbers and periods.
-
In the Administrator User Name and Administrator Passphrase fields, enter the credentials for a device administrator for a read-write user account.
-
In the Authentication Server list, select the correct authentication server for the user account that you specified.
-
If you use an Active Directory server for authentication, in the Domain field, enter the domain name of your Active Directory server.
-
Click OK.
Step 3: Provide your WatchGuard Firebox information to Arctic Wolf
-
Sign in to the Arctic Wolf® Unified Portal.
-
Click Help > Open a New Ticket.
-
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter
Syslog changes
. - Related ticket (optional) — Keep blank.
- Message — Enter this information for your Concierge Security® Team (CST):
- Confirmation that you completed the steps in this configuration guide.
- The IP address or hostname you used during the configuration.
- Any questions or comments that you have.
-
Click Send Message.
Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.