syslogs sent to external SIEM monitor, logs not being sent

WG M370 v12.4.1; wsm/fsm 12.5.3

In Logging Setup, under Syslog Server > (checked) Send Log messages to these Syslog servers:

I have the IP address and Port of the SIEM server; log format "Syslog".

My old XTM 515 sent the logs with this setup, my M370 doesn't seem to be sending the logs. (Per the SIEM monitors)

Should I be able to see the logs being sent in the 'Traffic Monitor' if I sort by the Syslog Server IP?

Comments

  • Only if you have selected "Enable logging for traffic sent from this device" in Diagnostic Logging in Policy Manager or in Logging in the Web UI.

  • Yes, that has been selected.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @bford

    syslog is plain text, so you can verify it via packet capture

    In Firebox System Manager, assuming your syslog server is on eth1, something like
    -i eth1 host 192.168.10.100 and port 514

    Should capture the syslog traffic, and you can read it in something like wireshark, and verify if it's even happening. Syslog is UDP, so it's basically just sent with no verification.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.