Configure WatchGuard Firebox to send logs to Arctic Wolf

You can configure WatchGuard® Firebox to send the necessary logs to Arctic Wolf for monitoring security information using one of these methods:

• Fireware Web UI — See Configure WatchGuard log forwarding using Fireware Web UI.
• Policy Manager — See Configure WatchGuard log forwarding using Policy Manager.

Requirements

• Activated Arctic Wolf Sensor

Configure WatchGuard log forwarding using Fireware Web UI

1. Access the Fireware Web UI.

2. Select System > Logging.

3. Click the Syslog Server tab.

4. Select the Send log messages to these syslog servers checkbox.

5. Click Add.

6. In the Syslog Server dialog box, in the IP Address field, enter the IP address of your Arctic Wolf Sensor.

   The Port field automatically populates with the default syslog server port, 514.

7. From the Log Format list, select either Syslog or IBM LEEF.

8. (Optional) In the Description field, enter a description for the server.

9. (Syslog log format only) Select the The time stamp checkbox.

10. (Optional) To include the serial number of the Firebox in the log message details, select the The serial number of the device checkbox.

11. (IBM LEEF format only) Select the The syslog header checkbox.

12. In the Syslog Settings section, for each type of log message, select a syslog facility from the dropdown list.

    • For high-priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages, select Local1 – Local7.

    For more information about log message types, see Types of Log Messages.

13. Click Save.

14. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:

• Confirmation that you have completed the steps in this configuration guide.
• The IP address you used during the configuration.
• Any other questions or comments that you have.

Configure WatchGuard log forwarding using Policy Manager

1. Add syslog servers.
2. Save the configuration file.

Step 1: Add syslog servers

1. Access the Policy Manager.

2. Select Setup > Logging.

3. In the Logging Setup dialog box, select the Send log messages to these syslog servers checkbox.

4. Click Add.

5. In the Configure Syslog dialog box, in the IP Address field, enter the IP address of your Arctic Wolf Sensor.

   The Port field automatically populates with the default syslog server port, 514.

6. From the Log Format list, select either Syslog or IBM LEEF.

7. (Optional) In the Description field, enter a description for the server.

8. (Syslog log format only) Select the The time stamp checkbox.

9. (Optional) To include the serial number of the Firebox in the log message details, select the The serial number of the device checkbox.

10. (IBM LEEF format only) Select the The syslog header checkbox.

11. In the Syslog Settings section, for each type of log message, select a syslog facility from the dropdown list.

    • For high-priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages, select Local1 – Local7.

    For more information about log message types, see Types of Log Messages.

12. Click OK to close the Configure Syslog dialog box.

13. Click OK to close the Logging Setup dialog box.

Step 2: Save the configuration file to the Firebox

To make sure your changes take effect on the Firebox, you must save the configuration file directly to the Firebox. For other ways to save the configuration file, see Save the Configuration File.

1. In Policy Manager, select File > Save > To Firebox.

2. In the Save to Firebox dialog box, in the IP Address or Name field, enter or select an IP address or name.

   If you use a name, the name must resolve through DNS. If you enter an IP address, include all numbers and periods.

3. In the Administrator User Name and Administrator Passphrase fields, enter the credentials for a Device Administrator for a read-write user account.

4. From the Authentication Server dropdown list, select the correct authentication server for the user account that you specified.

5. If you use an Active Directory server for authentication, in the Domain field, enter the domain name of your Active Directory server.

6. Click OK.

7. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding, and to validate that the logs are being ingested appropriately. Include the following information:

   • Confirmation that you have completed the steps in this configuration guide.
   • The IP address you used during the configuration.
   • Any other questions or comments that you have.

See also

• Configure Syslog Server Settings
• Save the Configuration File