WatchGuard XTM is a firewall that produces data about what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.
Before You Begin
You must configure WatchGuard to send its log to a syslog server. Instructions on how to do so can be found at the following links:
Make sure your Network Interface Card (NIC) does not have spaces
WatchGuard Firewalls print the name of the NIC handling your data in syslog. If the name of the NIC in the firewall has a space in it, it will break the parser because syslog parsers are space-delimited and the names are not escaped in any way, and InsightIDR will not be able to parse your data.
How to Configure This Event Source in InsightIDR
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.