Configuring your WatchGuard Fireware OS appliance in Fireware XTM for communication with QRadar

To collect WatchGuard Fireware OS events, you can use the Fireware XTM web user interface to configure your third-party appliance to send events to QRadar.

Before you begin

You must have Device Administrator access credentials.

Procedure

  1. Log in to the Fireware XTM web user interface for your Fireware or XTM device.
  2. Select System > Logging.
  3. In the Syslog Server pane, select the Send log messages to the syslog server at this IP address check box.
  4. In the IP Address text box, type the IP address for the QRadar Console or Event Collector.
  5. In the Port text box, type 514.
  6. From the Log Format list, select IBM® LEEF.
  7. Optional: Specify the details to include in the log messages.
    1. To include the serial number of the XTM device in the log message details, select the The serial number of the device check box.
    2. To include the syslog header in the log message details, select the The syslog header check box.
    3. For each type of log message, select one of the following syslog facilities:
      • For high-priority syslog messages, such as alarms, select Local0.
      • To assign priorities to other types of log messages, select an option from Local1 through Local7. Lower numbers have greater priority.
      • To not send details for a log message type, select NONE.
  8. Click Save.