To collect WatchGuard Fireware OS events, you can use the
Fireware XTM web user interface to configure your third-party
appliance to send events to QRadar.
Before you begin
You must have Device Administrator access
credentials.
Procedure
- Log in to the Fireware XTM web user interface for your
Fireware or XTM device.
- Select System > Logging.
- In the Syslog Server pane, select the Send log
messages to the syslog server at this IP address check
box.
- In the IP Address text box, type
the IP address for the QRadar
Console or Event Collector.
- In the Port text box, type
514.
-
From the Log Format list, select IBM®
LEEF.
- Optional: Specify the details to include in
the log messages.
- To include the serial number of the XTM device in the
log message details, select the The
serial number of the device check
box.
- To include the syslog header in the log message details,
select the The syslog header check
box.
- For each type of log message, select one of the following
syslog facilities:
- For high-priority syslog messages, such as alarms, select
Local0.
- To assign priorities to other types of log messages, select an
option from Local1 through
Local7.
Lower numbers have greater priority.
- To not send details for a log message type, select
NONE.
- Click Save.