TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Syslog Capable Appliances and Applications
ENVIRONMENT: Local Networks with the Huntress Rio Agent
SUMMARY: In just a few steps, setup your Huntress Rio Agent to receive syslog data from your services.
1. Configure the Huntress Rio Agent
2. Create a Windows Firewall Rule
3. Configure the Edge Firewall
Supported Syslog Message Formats
All sections must be followed in order to configure ANY firewall to sync with the Huntress Managed SIEM portal. Just configuring the Edge Firewall is not sufficient to start the sync process.
1. Configure the Huntress Rio Agent
In this section we will configure a Huntress Rio Agent to listen for syslog messages (a logging standard not associated with Microsoft or Windows). Once this is enabled, you can point your firewall to that agent and the agent will collect and send those messages to Huntress Managed SIEM.
From the "Source Management" tab under SIEM
1. Click "Add Source"
2. Choose "Syslog (Local)"
2. In the top right, choose "Enable Syslog Collector"
3. Select an organization and a host, then enter an overriding port if desired, and hit "Save" once selected
4. The selected organization and host-name will appear under "Enabled Syslog Agents" with a few minutes.
Generally, only one endpoint needs to be added per organization. As syslog information is for collecting Firewall data, adding additional endpoints would result in an excess of data log collection.
For suggested configurations for various firewall vendors, please refer to our Device Configuration Guides.
2. Create a Windows Firewall Rule
If you have Windows Firewall enabled, you need to make sure that the Huntress Rio Agent can receive syslog messages over the correct port. The port can be modified to sort your requirements from the default 514. To do this, create a new rule in Defender Firewall and scope it to just the Huntress Rio Agent (%program files%\Huntress\Rio\Rio.exe).
Pro-tip: you can also use PowerShell to create the rule. There are a variety of ways to accomplish this, but here’s an example:
New-NetFirewallRule -DisplayName "Allow Huntress Syslog Collection" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 514 -Program "%ProgramFiles%\Huntress\Rio\Rio.exe"
If you prefer to use the Windows Defender Firewall GUI, you can follow the steps below:
- From the Windows Defender Firewall app go to Advanced Settings.
- Select Inbound Rules and in the Actions pane, create a New Rule.
- Choose Custom Rule and enter the path for the program. The path should be something like %ProgramFiles%\Huntress\Rio\Rio.exe.
- Select Allow the Connection.
- For Protocol and Ports, select UDP and then specify port 514, or a custom port if needed.
- Optionally, you can scope this to a single device if you’d like, just be aware that the next time you want to point another endpoint’s syslog messages to the Huntress Rio Agent, you will need to update this rule. You would simply add a remote IP address to allow the device to connect inbound via UDP on port 514 or a custom port if needed (note: local IP address refers to IPs of the Windows device). However, you must always Allow the connection because UDP isn’t secure.
- Apply the rule to all three profiles - Domain, Private, and Public. Please note Windows Firewall will ignore some firewall rules on the Public profile, so it's highly recommended that you use the Domain or Private profiles.
- Give the rule a name, like Huntress Syslog Listener.
The Windows Firewall is now configured to allow Huntress Rio Agent to listen on UDP port 514.
3. Configure the Syslog Source
Now that the Windows Firewall is no longer blocking us, you can configure the syslog source to send syslog messages to your selected Huntress Rio Agent. Please be sure that the Huntress Rio Agent is the only agent listening on UDP Port 514 or the port specified in previous steps.
Please consult your firewall vendor documentation for sending syslog messages in the proper message formats. You can find our device configuration guides here.
While we do not have comprehensive guides for all syslog sources, most devices simply need to be configured to send syslog messages to the IP of the agent you selected as a listener on UDP Port 514 or the port specified. Some devices may need the UDP port used opened on the internal network.
Supported Syslog Message Formats
In the case where specific formats are requested, please refer to the table below for links to our Device Configuration Guides where available. Not all devices provide options for different formats.
| Device Type | Message Format or Configuration Guide |
| SonicWall |
|
| Fortinet |
|
| Meraki | WAN Appliance and Security event logs |
| WatchGuard | |
| Unifi / Ubiquiti | |
| Palo Alto Networks | |
| Sophos | |
| pfSense |
If you are unsure how to configure your device to send syslog messages in specific formats, please consult your hardware vendor for more support.
If your device is not supported today, Huntress can still store the logs for you and have them available for export, but we cannot parse this data (i.e. easier to read and search). You can make a new request or upvote an existing requested format on our feedback page.