TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslogs
ENVIRONMENT: Fortinet, Meraki, Palo Alto Networks, pfSense, SonicWall, Sophos, Unifi Ubiquiti, WatchGuard, or generic syslogs
SUMMARY: In just a few steps, setup your Huntress Agent to receive syslog data from your firewall.
Create a Windows Firewall Rule
Supported Syslog Message Formats
Configure the Huntress Agent
In this section we will configure a Huntress Agent to listen for syslog messages (a logging standard not associated with Microsoft or Windows). Once this is enabled, you can point your firewall to that agent and the agent will collect and send those messages to Huntress Managed SIEM.
From the "Source Management" tab under SIEM
1. Click "Add Source"
2. Choose "Syslog (Local)"
2. In the top right, choose "Add Syslog Agent"
3. Select an organization and a host and hit "Save" once selected
4. The selected organization and host-name will appear under "Enabled Syslog Agents" with a few minutes.
Generally, only one endpoint needs to be added per organization. As syslog information is for collecting Firewall data, adding additional endpoints would result in an excess of data log collection.
For suggested configurations for various firewall vendors, please refer to our Device Configuration Guides.
Create a Windows Firewall Rule
If you have Windows Firewall enabled, you need to make sure that the Huntress Agent can receive syslog messages over the correct port. To do this, create a new rule in Defender Firewall and scope it to just the Huntress Rio Agent (%program files%\Huntress\Rio\Rio.exe).
Pro-tip: you can also use PowerShell to create the rule. There are a variety of ways to accomplish this, but here’s an example:
New-NetFirewallRule -DisplayName "Allow Huntress Syslog Collection" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 514 -Program "%ProgramFiles%\Huntress\Rio\Rio.exe"
If you prefer to use the Windows Defender Firewall GUI, you can follow the steps below:
- From the Windows Defender Firewall app go to Advanced Settings.
- Select Inbound Rules and in the Actions pane, create a New Rule.
- Choose Custom Rule and enter the path for the program. The path should be something like %ProgramFiles%\Huntress\Rio\Rio.exe.
- Select Allow the Connection.
- For Protocol and Ports, select UDP and then specify port 514.
- Optionally, you can scope this to a single device if you’d like, just be aware that the next time you want to point another endpoint’s syslog messages to the Huntress Agent, you will need to update this rule. You would simply add a remote IP address to allow the device to connect inbound via UDP on port 514 (note: local IP address refers to IPs of the Windows device). However, you must always Allow the connection because UDP isn’t secure.
- Apply the rule to all three profiles - Domain, Private, and Public. Please note Windows Firewall will ignore some firewall rules on the Public profile, so it's highly recommended that you use the Domain or Private profiles.
- Give the rule a name, like Huntress Syslog Listener.
The Windows Firewall is now configured to allow Huntress Agent to listen on UDP port 514.
Configure the Edge Firewall
Now that the Windows Firewall is no longer blocking us, you can configure the firewall on the edge of your network to send syslog messages to your selected Huntress Agent. Please be sure that the Huntress Agent is the only agent listening on UDP Port 514.
Please consult your firewall vendor documentation for sending syslog messages in the proper message formats. You can find our device configuration guides here.
While we do not have comprehensive guides for all firewall or network devices, most devices simply need to be configured to send syslog messages to the IP of the agent you selected as a listener on UDP Port 514. Some devices may need port 514 UDP opened on internal network.
Supported Syslog Message Formats
In the case where specific formats are requested, please refer to the table below for links to our Device Configuration Guides where available. Not all devices provide options for different formats.
Device Type | Message Format or Configuration Guide |
SonicWall |
|
Fortinet |
|
Meraki | WAN Appliance and Security event logs |
WatchGuard | |
Unifi / Ubiquiti | |
Palo Alto Networks | |
Sophos | |
pfSense |
If you are unsure how to configure your device to send syslog messages in specific formats, please consult your hardware vendor for more support.
If your device is not supported today, Huntress can still store the logs for you and have them available for export, but we cannot parse this data (i.e. easier to read and search). You can make a new request or upvote an existing requested format on our feedback page.