About Logging, Log Files, and Notification
An important feature of network security is to gather messages from your security systems, to examine those records frequently, and to keep them in an archive for future reference. The WatchGuard log message system creates log files with information about security related events that you can review to monitor your network security and activity, identify security risks, and address them.
A log file is a list of events, along with information about those events. An event is one activity that occurs on the Firebox. An example of an event is when the Firebox denies a packet. Your Firebox can also capture information about allowed events to give you a more complete picture of the activity on your network.
To review the log messages generated by your Firebox and WatchGuard servers, you can use Traffic Monitor, Log Manager, or Dimension. For more information, see the subsequent sections.
The WatchGuard log message system has several components, which are described in the subsequent sections.
About Log Messages
Your Firebox and WatchGuard servers can send log messages to your WSM Log Server or to WatchGuard Dimension. Fireboxes can also send log messages to a syslog server or keep logs locally on the Firebox. You can choose to send log messages to one or both of these locations.
You can then use Firebox System Manager to see log messages in real-time on the Traffic Monitor tab. You can also examine log messages with Log Manager or WatchGuard Dimension. Log messages are kept on the WSM Log Server in the WatchGuard directory in an SQL database file with a .wgl.xml extension.
For more information about Dimension, see Set Up & Administer Dimension.
To learn more about the different kinds of log messages that the Firebox sends, see Types of Log Messages.
For more information about how to configure your Firebox to send log messages, see these topics:
- Set Logging and Notification Preferences
- Configure Logging Settings & Performance Statistics (Web UI)
- Send Log Messages to a WatchGuard Log Server (Web UI)
- Define Where the Firebox Sends Log Messages (WSM)
- Configure Logging and Notification for a Policy (Web UI) (Web UI)
- Configure Logging and Notification for a Policy (Policy Manager) (WSM)
For more information about some of the log messages generated by your Firebox, see the Fireware Log Catalog.
There are two methods to save log files with Fireware Web UI:
WatchGuard Log Server
You can use the WatchGuard System Manager (WSM) Log Server or WatchGuard Dimension. If you have a Firebox, you can configure a Log Server to collect log messages for your Firebox.
This is a log interface developed for UNIX but also used on many other computer systems. If you use a syslog host, you can set your Firebox to send log messages to your syslog server. To find a syslog server compatible with your operating system, search the Internet for syslog daemon.
If your Firebox is configured to send log files to a WSM Log Server or to Dimension and the connection fails, the log files are not collected. To help prevent the loss of log files, you can configure your Firebox to also send log messages to a syslog host that is on the local trusted network.
For more information about how to send log messages to a WatchGuard Log Server, see Send Log Messages to a WatchGuard Log Server (Web UI).
For more information about WatchGuard Dimension, see Set Up & Administer Dimension.
For more information about how to send log messages to a syslog host, see Configure Syslog Server Settings.
WatchGuard Log Servers collect log message data from each connected Firebox or WatchGuard server. Log Servers receive information on TCP ports 4107 and 4115. Each Firebox that connects to the Log Server first sends its name, serial number, time zone, and software version, then sends log data as new events occur. The information that Fireboxes send includes traffic, alarm, event, debug, and performance statistics log messages. The serial number (SN) of the Firebox is used to uniquely identify the Firebox in the Log Server database. Though the log messages sent to your Log Server can originate from many time zones, the Log Server stores all log messages in UTC format. The Log Server uses multiple instances of the PostgreSQL database to manage its global database. Each instance of the PostgreSQL database appears in Windows Task Manager as a separate PostgreSQL process.
The Log Server uses several processes and modules to collect and store log message data. wlcollector.exe is the log collector process. Your Firebox connects to this process for logging on TCP ports 4115 or 4107. wlcollector.exe runs two modules: ap_collector and ap_notify. ap_collector gets the logs from the Firebox and puts them in the Log Server database. ap_notify gets alarms from the Firebox and sends the type of notifications you select.
Log messages are sent to the WatchGuard Log Server in XML (plain text) format and are encrypted for transit with an SSL connection (AES 256-bit). Log data is not encrypted while stored in the Log Server database.
You can install the WatchGuard Log Server on the computer that is your management computer, or on a different computer. You can also add additional Log Servers for backup and scalability. To do this, use the WatchGuard System Manager (WSM) installation program and select to install only the Log Server component.
After your Log Server has collected the log data from your Fireboxes, you can use the WatchGuard Report Server to periodically consolidate the data and generate reports. When the Report Server gets data from the Log Server, that log message data is sent over an encrypted SSL connection (AES 256-bit).
For more information about the Report Server, see About the Report Server.
Logging and Notification in Applications and Servers
The Log Server can receive log messages from your Firebox or a WatchGuard server. After you have configured your Firebox and Log Server, the Firebox sends log messages to the Log Server. You can enable logging in the various WSM applications and policies that you have defined for your Firebox to control the level of logs that you see. If you choose to send log messages from another WatchGuard server to the Log Server, you must first enable logging on that server.
For more information about sending log messages from your Firebox, see Configure Logging and Notification for a Policy (Policy Manager).
For more information about sending log messages from your WatchGuard server, see Configure Logging Settings for the Log Server.
WatchGuard Log Server uses the wlcollector.log and ap_collector.log files to store information about Firebox and database connections. This information includes authentication errors, challenge and response mismatches, and database access errors.
These files are stored by default in:
- Window 8 and Windows 7 — C:\ProgramData\WatchGuard\logs\wlogserver\wlcollector
- Windows XP — C:\Documents and Settings\WatchGuard\logs\wlogserver\wlcollector\
Log information is stored in a PostgreSQL database. Each Log Server has four main database tables that store the log messages for all Fireboxes. The Log Server creates fixed-size partitions to store the log information in these databases. To manually modify the contents of the Log Server database, you can use the PostgreSQL command prompt or a third-party application such as pgadmin.
When a Firebox connects to the Log Server for the first time, the Log Server updates the global database with information about the new Firebox. Log messages from each Firebox are sent to one of the four Log Server database tables. The data in these tables is used when you look at log files or create a report in WatchGuard WebCenter.
Reports generated by a WatchGuard Report Server are stored as XML files in this directory:
Windows 10, 8, and Windows 7 — C:\ProgramData\WatchGuard\wrserver\reports\
Performance and Disk Space
You can configure several Fireboxes to send log information to a single Log Server. This number is strictly limited only by available disk space. However, the exact number of Fireboxes you can connect to your Log Server depends on the size and speed of its hard drives, the amount of available RAM, the number of processors, and the amount of log traffic each connected Firebox sends to the Log Server. You can greatly increase the performance of your Log Server by adding a faster hard drive, more memory, or another processor.
The Log Server includes a setting that you can change to automatically remove old log messages from the database. When you first set up a Log Server, we recommend that you measure how much disk space is used in an average day. Estimate how many days of log messages you can keep before the database takes up too much disk space, then change the settings to match that time interval. When log messages are removed from the database, the disk space is reused when new log entries are created.
The reindexdb utility rebuilds the indexes in one or more PostgreSQL database tables for better performance. This utility should be run only at the recommendation of a WatchGuard support representative.
You can use the Log Manager and Report Manager pages of the interactive WatchGuard WebCenter web UI to see the details in your log files, view generated reports from your Fireboxes and WatchGuard servers, and generate on-demand reports. When you open a report, you can pivot on the data in any report to see the granular details included in the report. Each report includes links to related report details.
On the Firebox System Manager (FSM) Traffic Monitor tab, you see log messages from your Firebox as they occur. On some networks, there can be a short delay as log messages are sent. Traffic Monitor can help you troubleshoot network performance. For example, you can see which policies are used most, or whether external interfaces are constantly used to their maximum capacity.
For more information, see Device Log Messages (Traffic Monitor).
System Status Traffic Monitor
On the Fireware Web UI Traffic Monitor page, you see log messages from your Firebox as they occur. On some networks, there can be a short delay as log messages are sent. Traffic Monitor can help you troubleshoot network performance. For example, you can see which policies are used most, or whether external interfaces are constantly used to their maximum capacity.
For more information, see Traffic Monitor.