Configure Syslog Server Settings
Syslog is a log interface developed for UNIX but also used by a number of computer systems. You can configure the Firebox to send syslog log messages to a maximum of three servers.
For Fireboxes that are not cloud-managed, multiple syslog servers are supported in Fireware v12.4 and higher.
For each syslog server, you must specify the IP address and port for connections to the server.
Syslog log messages are not encrypted. We recommend that you do not send log messages to a syslog server through the external interface. For better security, we recommend that you put your syslog server on your trusted network.
For each syslog server you add, you specify the log message format. The Firebox can send log messages in two log formats: Syslog or IBM LEEF. To send log messages to a syslog server, specify the Syslog log format. To send log messages to an IBM QRadar server, specify the IBM LEEF log format. For the IBM LEEF log format, you have the option to include syslog headers.
You can specify the syslog facility to use for each log message type. The syslog facility determines the relative priority of each log message. Lower numbers indicate higher priority. For high-priority log messages, such as alarms, select Local0. For lower priority log message types, select Local1 – Local7. You can specify the syslog facility for five log message types:
- Alarm
- Traffic
- Event
- Diagnostic
- Performance
For information about the different types of messages, go to Types of Log Messages.
When you select the IBM LEEF log format, the Firebox sends only log messages that include the msg-id field to your QRadar server. When you select the IBM LEEF log format, the Firebox does not send Performance log messages to the QRadar server.
Log messages in IBM LEEF log format include the LEEF header, with these details:
- LEEF Version
- Vendor Name
- Product Name
- Product Version
- Event ID
For example:
- LEEF Version — LEEF: 1.0
- Vendor Name — WatchGuard
- Product Name — Firebox
- Product Version — 12.1.B548280
- Event ID — 1AFF000B (message ID)
For a QRadar server, you must select the option to include the syslog header before you can configure syslog facility settings. If you select to include the syslog header in the log messages sent to a QRadar server, log messages do not include the host name and time stamp.
Before you configure your Firebox to send log messages to a syslog or QRadar server, you must have a syslog or QRadar server configured, operational, and ready to receive log messages.
Add Syslog Servers
- Select System > Logging.
The Logging page appears. - Click the Syslog Server tab.
- Select the Send log messages to these syslog servers check box.
- Click Add.
The Syslog Server dialog box appears. - In the IP Address text box, type the server IP address.
- In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
- From the Log Format drop-down list, select Syslog or IBM LEEF.
The details you can include in the log messages depend on the log format you select.
The Syslog Server settings for the syslog log format.
The Syslog Server settings for the IBM LEEF log format.
- (Optional) In the Description text box, type a description for the server.
- (Syslog log format only) To include the date and time that the event occurs on your Firebox in the log message details, select the The time stamp check box.
- To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
- (IBM LEEF log format only) To include the syslog header in the log message details, select the The syslog header check box.
- In the Syslog Settings section, for each type of log message, select a syslog facility from the drop-down list.
If you select the IBM LEEF log format, you must select the The syslog header check box before you can select the syslog facility for the log message types.- For high-priority syslog messages, such as alarms, select Local0.
- To assign priorities for other types of log messages (lower numbers have greater priority), select Local1 – Local7.
- To not send details for a message type, select NONE.
- To restore the default settings, click Restore Defaults.
- Click Save.
-
Select Setup > Logging.
The Logging Setup dialog box appears.
- Select the Send log messages to these syslog servers check box.
- Click Add.
The Configure Syslog dialog box appears. - In the IP Address text box, type the server IP address.
- In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
- From the Log Format drop-down list, select Syslog or IBM LEEF.
The details available to include in the log messages depend on the log format you select.
The Configure Syslog dialog box for the Syslog log format.
The Configure Syslog dialog box for the IBM LEEF log format.
- (Syslog log format only) To include the time stamp information from your Firebox in the log message details, select the The time stamp check box.
- To include the serial number of the Firebox in the log message details, select the The serial number of the device check box.
- (IBM LEEF log format only) To include the syslog header in the log message details, select the The syslog header check box.
- For each type of log message, select a syslog facility:
- For high-priority syslog messages, such as alarms, select Local0.
- To assign priorities for other types of log messages (lower numbers have greater priority), select Local1 – Local7.
- To not send details for a log message type, select NONE.
- To restore the default settings, click Restore Defaults.
- Click OK to close the Configure Syslog dialog box.
- Click OK to close the Logging Setup dialog box.
- Save the Configuration File.
About Firebox Logging and Notification