Cyber Security: Setting up a syslog collector on a Sophos XG firewall

2/7/19

We setup syslog collectors all the time for when we are tracking firewall events and push them to either a NAS for cold storage or to a SIEM system like our recent partner, SocSoter, and I thought it would be helpful if a simple write up showing how to setup the syslog might be helpful to others.

Below is the steps to take to setup Syslog on a Sophos XG 135w Firewall:

Step 1:

Log into the Sophos firewall look at the main dashboard. Find ‘System Services’ under the ‘Configure’ section and then click on the ‘Log Settings’ tab as shown below:

Step 2:

Click on the add button like shown below:

Step 3:

Enter in the detail of your syslog collector or SIEM device. Typically most SIEM system use a default port of 514, and then don’t forget to choose your severity level. As an example if you choose the debug option it will push all information from debug all the way up to the least important like emergency, however if you select notification it will go from notification upward to emergency but not the information below notification.

I don’t recommend you do debug cause it could be allow of data.

Below is a way you can set it up:

Step 4: 

Next you must select the information you want to send to your syslog collector or SIEM system. As you’ll notice in the picture below, you’ll see a black mark, the top box on the list selects every setting possible, whereas the one for the firewall only select all of the settings for the firewall section. Enable the setting you want to monitor or all of them, as shown below:

Step 5: 

Once your finish hit the apply button at the bottom and your good to go!

I hope this quick guide was helpful to someone and you found in handy. 🙂

Cheers! 😀