Skip to main content

Syslog - Watchguard Firebox Firewall

Tony Black
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Watchguard Firebox
SUMMARY: Configuration Guide for Watchguard Firebox Firewall

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor

Watchguard

Supported Model Name/Number

Firebox Firewalls

Supported Software Version(s)

 

Collection Method

Syslog

Provider Name

Syslog-XTM

Additional Information

Syslog Server Config

Types of Log Messages

Log Catalog

 

Device Configuration Checklist

  1. Log in to the Fireware Web UI with an administrator account.
  2. Select System > Logging.
  3. Select the Syslog Server tab.
  4. Select the Send log messages to these syslog servers check box.
  5. Watchguard Firebox 1.png
  6. Click Add. The Syslog Server dialog box opens.
  7. In the IP Address text box, enter the IP address of the Huntress agent collecting syslog.
  8. in the Port text box, enter 514.
  9. From the Log Format drop-down list, select IBM LEEF.
  10. Check both boxes to include The serial number of the device and The syslog header.
  11. For each type of log message, verify they are set to the syslog facility in the below screenshot.
  12. Watchguard Firebox 2.png
  13. Click OK. The server is added to the list.
  14. Click Save.

 

Example Log Messages

HTTPS Request

<142>Feb 25 12:49:50 hostname LEEF:1.0|WatchGuard|XTM|12.6.2.B631387|2CFF0000|serial=ABC123 policy=HTTPS-proxy-00 disp=Allow in_if=Trusted out_if=Fiber proto=tcp src=192.168.1.222 srcPort=58152 dst=34.228.135.247 dstPort=443 proxy_act=HTTPS-STD WEBBLOCKER tls_profile=TLS-Client-HTTPS.Standard.1 tls_version=TLS_V13 sni=eetee.huntress.io cn=eetee.huntress.io cert_issuer=CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US cert_subject=CN=eetee.huntress.io,O=Huntress Labs Inc.,L=Ellicott City,ST=Maryland,C=US action=allow app_id=0 app_cat_id=0 sig_vers=18.190 sent_bytes=700 rcvd_bytes=7515 msg=HTTPS Request

 

VPN Authentication

<150>Feb 25 13:25:55 hostname LEEF:1.0|WatchGuard|XTM|12.10.4.B702217|25000000|host_name=host serial=ABC123 msg=Mobile VPN with SSL user user1 logged in. Virtual IP address is 172.17.0.51. Real IP address is 1.2.3.4.

Related articles