Skip to main content

Setting Up a Log Source with the Onboarding Wizard

Nick Gusto
  • Updated
TEAM: Huntress Managed Security Information and Event Management (Managed SIEM)
ENVIRONMENT: Local syslog, HEC, API, or OS logs
SUMMARY: A guided, step-by-step way to connect your first data source to Huntress Managed SIEM; Windows Event Logs or a syslog firewall.
 
 
In this article
  1. What the Onboarding Wizard does
  2. Before you begin
  3. Opening the wizard
  4. Choosing what to connect
  5. Path A — Windows Event Logs
  6. Path B — Connect your syslog firewall
  7. Pausing and resuming setup
  8. What happens after setup
  9. Troubleshooting

 

What the Onboarding Wizard does

The Onboarding Wizard guides you through connecting a log source to Managed SIEM. It covers two source types in this release:

  • Windows Event Logs: Security, system, and application events from endpoints that already run the Huntress Agent.
  • Syslog firewalls: Event logs pulled from your firewall (SonicWall, FortiGate, Meraki, Sophos, Palo Alto, and more) using the Huntress Agent as a local syslog collector.

--

--

Before you begin

  • You have account-level admin access in the Huntress portal and access to the Managed SIEM product.
  • The Huntress Agent is installed on at least one endpoint. The Agent is what collects Windows events and acts as the syslog collector for firewalls. After installation, an Agent becomes SIEM-ready in about 20 minutes.
  • For a firewall, you have admin access to the firewall device and the ability to manage the software firewall on the endpoint that will act as the collector.

Don't have the Agent yet?

The wizard links you to the installer at the first step. Install the Agent, wait ~20 minutes, then return — the wizard saves your place.

 

Opening the wizard

There are three ways the wizard appears, depending on where you are:

  • First-time banner. If no sources are connected, Source Management shows a banner: "Connect your first data source to start detecting threats!" Click the Set up a source link.
  • Connect Firewall button. For partners with existing sources configured, on the Syslog Collectors page or from Source Management, Connect Firewall jumps straight into the syslog firewall portion of the wizard.

--

--

 

Choosing what to connect

The wizard opens on "Connect your first data source" and asks which type of data you want to collect first:

  • Windows Event Logs — "Collect security events from Windows endpoints where the Huntress Agent is installed."
  • Connect your syslog firewall — "Pull logs from your syslog firewall to detect network-based threats. Supports SonicWall, Fortinet, Meraki, Sophos, and more."

Make your selection and click Continue.

--

--

 

Path A — Windows Event Logs

Windows Event Logs are the fastest source to connect. No configuration on the device side is required; the Huntress Agent handles it.

Step 1 — Confirm the Agent prerequisite

The wizard shows "Before you connect Windows Event Logs." It reminds you that the Huntress Agent is required and that it takes about 20 minutes to be SIEM-ready after install. If you've already installed the Agent, click Continue.

--

--

 

Step 2 — Review and turn on collection

You'll land on the Windows Event Logs collection settings, where the Agent automatically collects logs from every enrolled endpoint. Collection is disabled by default. From here, you can enable collection account-wide or scope it to specific organizations and endpoints.

--

--

 

Click Save to enable your collection settings. A confirmation modal will display the total number of sources added to your bill before any collection settings are changed.

 

--

 

--

 

Once collection is enabled, Windows security events begin flowing from enrolled endpoints, typically within about 20 minutes.

 

Path B — Connect your syslog firewall

Connecting a firewall means pointing it at a Huntress Agent on your network that listens for syslog traffic (the "collector"). The wizard breaks this into five tracked steps, shown as a progress bar across the top:

1 · Choose vendor 2 · Enable Collector 3 · Firewall rule 4 · Configure Firewall 5 · Done
 

Agent prerequisite

Before Step 1, the wizard will remind you that the Huntress Agent must be installed on a collector endpoint first. This is because the Agent acts as your syslog collector. Install the Agent if needed. The Agent is SIEM-ready about 20 minutes after install. Click Continue when ready.

--

--

 

Step 1 — Choose your firewall

Select your firewall vendor. The wizard uses your choice to load the correct setup guide and to activate the right log parsing.

--

--

 

Step 2 — Choose or enable a collector

The collector is the endpoint where the Huntress Agent is installed, to which your firewall will send logs.

 

If you already have a collector

Select an existing collector endpoint from the Syslog Collectors dropdown. The wizard then shows the IP and port your firewall will send to.

 

If you need a new collector

The wizard will guide you through enabling your first collector if none exists.

 

If you have existing collectors enabled, you can also choose "Enable or update a collector" to enable a new one.

Fill in:

  • Organization: Only organizations with Managed SIEM enabled appear here.
  • Endpoint: This is the endpoint with the Agent that will receive logs; pick one reachable by your firewall on the local network.
  • Transmission method: UDP (default port 514) and/or TCP on a separate port. Make sure no other service is using the port(s) you select.

Click Continue.

--

 

Existing Syslog Collector Dropdown
 
--
 
New Syslog Collector Form
 
--
 

Enabling a collector is a one-time step. A single collector can receive logs from multiple firewall devices. For best results, choose an endpoint on the same network segment as your firewall(s).

 

Step 3 — Open the Windows Firewall rule

This is the #1 reason syslog source setups fail

Windows Defender Firewall blocks incoming syslog traffic until you explicitly allow it for Rio.exe. Don't skip this step on a Windows collector.

Before your firewall can send logs to the collector, Windows Defender Firewall on that endpoint must allow traffic to the collector. This is a one-time step per collector, not per firewall/device. 

Run the command the wizard provides in PowerShell as Administrator on the collector host. The wizard generates one command per protocol you enabled (UDP and/or TCP):

New-NetFirewallRule -DisplayName "Allow Huntress Syslog Collection" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 514 -Program "%ProgramFiles%\Huntress\Rio\Rio.exe"

 

Use the Copy UDP Command button (and the TCP equivalent if applicable), run it on the collector, then click I've run this command

 

--

--

 

This command is for Windows Defender Firewall only

If you run a different software firewall on the collector, open inbound UDP 514 (and/or your TCP port) for Rio.exe using that tool instead.

If your collector endpoint runs Linux, the wizard skips the Windows Firewall step and takes you straight to Step 4 (Configure). You'll still need to open the port in your Linux firewall. 

See the Collecting Syslog Sources guide for Linux (firewalld/UFW) commands.

 

Step 4 — Configure your firewall

Enter these values in your firewall's syslog settings. Your device's admin panel may refer to this as a "syslog server" or "remote logging." 

The wizard displays copy-to-clipboard fields for:

Field Value
Collector IP address The collector endpoint's local IP
UDP / TCP port The port(s) you enabled in Step 2 (UDP 514 by default)
Format Vendor-specific where required 
FortiGate CEF, Palo Alto IETF, pfSense Syslog (RFC 5424), WatchGuard IBM LEEF

 

Follow the linked vendor setup guide for the exact menu paths on your device, then click I've configured my device

--

 

--

Data should appear within about 30 minutes

When your first logs arrive, your source automatically appears in Source Management. It will also appear on the appropriate firewall source page (ie, Sonicwall Sources).

 

Step 5 — Done

You don't need to do anything else here! The final screen confirms "Setup complete." Your collector is now listening, and Huntress watches for your first logs in the background.

You can close the wizard or click Go to Syslog Collectors to view your syslog collectors.

--

--

 

Pausing and resuming setup

The wizard saves your progress. If you leave mid-setup, Source Management shows a resume banner. Click Resume Setup to pick up exactly where you left off.

--

--

 

What happens after setup

  • Data timing. First events typically appear within about 30 minutes after your firewall is configured (Windows Event Logs: ~20 minutes after collection is enabled). Volume and device configuration can affect this.
  • Automatic source creation. Your firewall source is created automatically when its first logs arrive.
  • Verify its health. Check back within 24 hours to confirm your source is listed and still reporting in Source Management.

 

Troubleshooting

If your collector is enabled but no logs appear, work through these in order:

  1. Confirm the Windows Firewall rule ran on the collector (Step 3). This is the most common cause. Re-run the PowerShell command as Administrator if unsure.
  2. Check for a port conflict. Huntress Rio Agent must be the only program listening on the chosen port (default UDP 514).
  3. Check the Windows network profile. If the collector's network adapter is set to Public, Windows Firewall may ignore the rule. Use Domain or Private.
  4. Verify the firewall destination. Correct collector IP, correct port, supported format.
  5. Same organization. The collector endpoint and the syslog source must be in the same organization.

 

For the full checklist, see Troubleshooting SIEM Local Syslog Collection.

 

Related articles