WatchGuard Firebox Firewall Log Collection

In this document, we’ll identify the initial setup steps to collect logs from the WatchGuard Firebox Firewall. Over time, Blumira will recommend modifications to these configurations depending on output.

For vendor documentation, please click here.

Configuring Syslog and an Output Destination

1. Select System > Logging.
   The Logging page appears.
2. Click the Syslog Server tab.
3. Select the Send log messages to these syslog servers check box.
4. Click Add.
   The Syslog Server dialog box appears.
5. In the IP Address text box, type the server IP address of the Blumira Sensor.
6. In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
7. From the Log Format drop-down list, select Syslog
8. Click OK.
8. (Optional) In the Description text box, type a description for the server.
9. To include the date and time that the event occurs on your Firebox in the log message details, select the The time stamp check box.
10. Do not check the box to include the device serial number
12. In the Syslog Settings section, for each type of log message, select a syslog facility from the drop-down list.
    • For high-priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages (lower numbers have greater priority), select Local1 – Local7.
    • To not send details for a message type, select NONE.
13. To restore the default settings, click Restore Defaults.
14. Click Save.

At this point the Blumira sensor will start receiving syslog communication from your WatchGuard Firebox Firewall.

Get a Free Cloud SIEM Trial

Try out Blumira’s automated detection & response platform for free and deploy a cloud SIEM in hours.