This integration is available on our Advanced and Enterprise packages.
Before you get started
Before beginning the integration, you will need to deploy a log collector within the same network as your firewall.
To initiate the collector deployment process, please reach out to our Technical Support team, who'll provide you with a deployment pack that includes all the software and scripts needed to configure this.
If you already have a log collector deployed, please follow the steps outlined below.
Configuration
Log in to your WatchGuard Web UI
Go to System > Logging.
Select the Syslog Server tab.
Check the box Send log messages to these syslog servers.
Click Add.
In the IP Address field, enter the private IP address of your log collector.
In the Port text box, the default syslog server port (514) appears. Replace this with the value 5514.
From the Log Format drop-down, select Syslog.
(Optional) In the Description field, enter a name such as Defense.com SIEM.
Click OK.
Under Select the details to include in syslog messages:
Check the box The time stamp
To include the serial number of the firewall in the log message details, select the The serial number of the device check box.
In the Syslog Settings section, assign syslog facilities for each log message type:
For high-priority messages (e.g., alarms), select Local0.
For other message types, use Local1 β Local7 based on your preferred priority (lower number = higher priority).
To suppress a message type, select NONE.
Click Save at the bottom of the page.
Confirming log flow
Once the above steps are complete, your device will now ship logs to our SIEM platform via your collector. You can confirm logs are successfully reaching our SIEM by either.
Navigating to the Log Search feature in Defense.com by browsing to SIEM > Log Search and then filtering the logs by
type:"syslog".Reaching out to our Technical Support team, who'll be able to check and confirm this for you.
And that's it! You've successfully integrated your WatchGuard Firewall π