Configuring your WatchGuard Fireware OS appliance in Policy Manager for communication with QRadar
To collect WatchGuard Fireware OS events, you can use the Policy Manager to configure your third-party appliance to send events to QRadar®.
Before you begin
You must have Device Administrator access credentials.
- Open the WatchGuard System Manager.
- Connect to your Firebox or XTM device.
- Start the Policy Manager for your device.
- To open the Logging Setup window, select Setup > Logging.
- Select the Send log messages to this syslog server check box.
- In the IP address text box, type the IP address for your QRadar Console or Event Collector.
- In the Port text box, type 514.
- From the Log Format list, select IBM® LEEF.
- Optional: Specify the details to include in
the log messages.
- Click Configure.
- To include the serial number of the XTM device in the log message details, select the The serial number of the device check box.
- To include the syslog header in the log message details, select the The syslog header check box.
- For each type of log message, select one of the following
- For high-priority syslog messages, such as alarms, select Local0.
- To assign priorities to other types of log messages, select an option from Local1 through Local7. Lower numbers have greater priority.
- To not send details for a log message type, select NONE.
- Click OK.
- Click OK.
- Save the configuration file to your device.