Configuring Firewall Log Analyzer (Firewall log ingestion)

This article explains how to configure firewall log ingestion in Kaseya SIEM using the Firewall Log Analyzer application.

Firewall log ingestion is configured at the organization level through Settings > Application Configurations. This configuration determines how firewall and network‑device logs are ingested and which deployed agent receives and processes those logs.

This article explains where to configure firewall log ingestion, what each screen represents, and how supported firewall vendors fit into the model. It does not include vendor‑specific firewall setup instructions.

How firewall log ingestion works

In Kaseya SIEM, firewall log ingestion is:

• Organization‑scoped, not device‑scoped

• Configured through Settings, using organization‑level overrides

• Currently implemented as a centralized, syslog‑based ingestion model

Firewall devices themselves are not deployed or configured from the SIEM interface. They are configured externally to send syslog telemetry to a designated log‑receiving device.

The Devices > Firewalls view is used only for visibility and validation after ingestion has been configured. It is not used to configure firewalls or ingestion behavior.

Step 1: Open Application Configurations

Firewall log ingestion is configured from Settings > Application Configurations, within the context of a specific organization.

Organization‑level overrides are used to:

• Enable firewall log ingestion for an organization

• Define how firewall logs are ingested and handled

• Select the deployed device that will receive and process firewall logs

This configuration approach is conceptually similar to RocketCyber, although UI labels and workflows differ.

Step 2: Select the organization and application

1. From the side navigation menu, click Settings.

2. Select Application Configurations.

   

3. Click + New override, or select an existing organization override.

   

4. In Select an Organization, choose the target organization.

   

5. In Application, select Firewall Log Analyzer.

   

6. Click Confirm.

This opens an organization‑scoped configuration for firewall log ingestion. Select Firewall Log Analyzer only when configuring firewall log ingestion. Other applications in this list control different detection or analysis capabilities and do not ingest firewall logs.

Step 3: Review organization details

At the top of the Firewall Log Analyzer screen, the Organization details panel provides context, including:

• Organization name

• Group assignment

• PSA status

• Last online timestamp

  

This ensures you are configuring firewall log ingestion for the correct organization.

Step 4: Select the syslog server device

1. Open the Syslog servers tab.

2. Click + New device.

   

3. Select a device from the list of already deployed agents.

   

4. Click Add device.

5. A confirmation message appears. The selected device becomes the syslog server device, meaning it will receive and process firewall logs.

   

   Important notes about the syslog server device

   • The device must already have the agent deployed

   • Devices are selected from existing endpoints with an agent installed

   • Firewall devices themselves do not appear in this list

   • This device acts only as a log receiver and processor, not as the firewall

   Step 5: Configure syslog setting

   1. Open the Syslog configurations tab.

   2. Configure the required syslog settings, such as:

      • Syslog server IP

      • Syslog server port (for example, 514)

      • Syslog protocol

      • Log storage and retention options

      • Event filtering or exclusion options, if applicable

      

      Syslog configuration fields

      The Syslog configurations tab controls how firewall logs are received, filtered, and stored after they arrive at the log‑receiving device.

      These settings control ingestion behavior only. They do not configure firewall devices themselves and do not define vendor‑specific logging rules.

      • Syslog Server Device: Selects the deployed agent that acts as the syslog server for firewall log ingestion. Only devices with an agent already installed appear in this list.

      • Syslog Server IP: The destination address that firewall devices send syslog data to

      • Syslog Server Port: The port used to receive syslog data (default is typically 514)

      • Syslog Server Protocol: The protocol used for syslog communication

      • Max Daily Results: Limits the number of syslog events processed per day

      • Save Copy of Logs to Monitoring Device Hard Drive: Controls whether logs are temporarily stored locally

      • Maximum Allowed Size for Local Log Save (in GB): Sets the disk limit for locally stored logs

      • Don’t Report Events Lower Than This Priority: Reduces noise by filtering lower‑priority events

      • Forward IP / Forward Port: Optional forwarding destination for received syslog data

      • IPs / MACs of Network Devices to Exclude: Excludes events from specific network devices

   IMPORTANT  These settings affect log ingestion and handling only. They do not modify SIEM detection logic, investigation workflows, or SOC response behavior.

Step 6: Configure the firewall to send syslog telemetry

After completing the syslog configuration in Firewall Log Analyzer, configure your firewall device to forward syslog events using the values displayed in the Syslog configurations tab.

On the firewall platform (for example, Cisco, Fortinet, Palo Alto):

• Set the syslog destination IP to the Syslog Server IP shown in Firewall Log Analyzer

• Set the syslog destination port to the Syslog Server Port shown in Firewall Log Analyzer

• Set the syslog protocol to match the Syslog Server Protocol selected in Firewall Log Analyzer.

This configuration is performed on the firewall itself, using vendor‑specific management tools. Kaseya SIEM does not configure firewall devices directly.

As long as the firewall platform is a supported vendor and is configured to send syslog telemetry using the displayed IP, port, and protocol, Kaseya SIEM will ingest and display the firewall log data.

Firewall devices do not appear as applications in the SIEM UI and are not configured from the SIEM interface.

Step 7: Save the configuration

1. Click Save.

2. Confirm that the configuration is saved successfully.

Once saved, firewall log ingestion is enabled for the organization using the defined settings.

How Devices relate to firewall log ingestion

Devices > Firewalls is not used to configure firewall log ingestion.

It is used to:

• Validate that a firewall has registered and is sending data

• Confirm connectivity and visibility after configuration

• Remove a firewall entry if needed

Devices > Firewalls is an inventory and management surface, not a configuration surface.

Supported firewall vendors

Firewall Log Analyzer supports firewall log ingestion from the same vendors supported in RocketCyber.

Supported vendors include, but are not limited to:

• Cisco Meraki

• Cisco ASA

• Cisco Firepower

• Fortinet

These platforms can send telemetry to Kaseya SIEM using standard syslog mechanisms.

The list of supported firewall vendors reflects current ingestion capabilities. The specific vendors supported in your environment may vary, and the Kaseya SIEM UI remains the authoritative source for available configuration options.

Related articles

• Deploying agents: Install agents on supported devices before selecting them as log‑receiving devices

• Application Configurations: Understand how organization‑level overrides control application settings in Kaseya SIEM