Define Where the Firebox Sends Log Messages (WSM)
From Policy Manager, you can configure your Firebox to generate log messages for events that occur at the device. You can then examine the log files and make decisions about how to add more security to your network. You must specify where the Firebox sends log messages. You can choose to send log messages to a WatchGuard Log Server, a syslog server, or save the log messages on the device.
After you configure where your device sends log messages, you enable logging in the policies and features configured on your device.
For more information, see Configure Logging and Notification for a Policy (Policy Manager) and Set Logging and Notification Preferences.
Because the logging settings you specify on your device can impact the performance of your device, you must consider where it is most necessary to enable logging in your device configuration settings. Typically, the more log messages your device generates, the greater the impact on the performance of your device, but this can also depend on the log level that you have selected. After you configure logging on your device, if you notice a decrease in performance on your device, you can review your logging settings and adjust them as necessary to increase performance. When you set the Diagnostic Log Level for your device, WatchGuard recommends that you do not select the Debug log level, because of the significant increase in log messages generated by this log level, unless directed to do so by WatchGuard Technical Support. For more information, see Set the Diagnostic Log Level
To specify where your device sends log messages:
- Select Setup > Logging.
The Logging Setup dialog box appears with the Log Servers 1 tab selected.
- Configure the logging settings for the WatchGuard Log Server, syslog server, and Firebox internal storage.
To send log messages to your WatchGuard Log Servers (Dimension or WSM Log Servers), select the Send log messages to these Log Servers check box. A Firebox can send log messages to a WatchGuard Log Server and a syslog server at the same time.
You can configure your device to send log messages to up to two sets of Log Servers at the same time. For both sets of Log Servers, if the Firebox cannot connect to the primary Log Server in the set, it tries to connect to the next Log Server in the priority list for that set. If the device examines each Log Server in the list and cannot connect, it tries to connect to the first Log Server in the list again. When the primary Log Server is not available, and the device is connected to a backup Log Server, the device tries to reconnect to the primary Log Server every 6 minutes. This does not impact the device connection to the backup Log Server until the primary Log Server is available.
To add or edit the addresses for your Log Servers, click Configure and select a tab: Log Servers 1 or Log Servers 2. You can add up to five Log Servers to the list on each tab.
For more information, see Add a Log Server.
Log messages that are sent to a WatchGuard Log Server are encrypted when they are sent to the server.
For more information, see About Logging, Log Files, and Notification.
To send log messages to your syslog server, select the Send log messages to this syslog server check box. A Firebox can send log messages to a WatchGuard Log Server and a syslog server at the same time.
In the IP address text box, type the IP address for your syslog server.
In the Port text box, the default syslog server port (514) appears. To change the syslog server port, type or select a different port for your syslog server.
From the Log Format drop-down list, select an option:
- To send log messages to your syslog server, select Syslog.
- To send log messages to your QRadar server, select IBM LEEF.
To configure additional settings for the syslog or QRadar server, click Configure.
For more information, see Configure Syslog Server Settings.
Log messages that are sent to a syslog server are not encrypted.
Firebox Internal Storage
To store log messages on the Firebox, select the Send log messages in Firebox internal storage. These log messages are also included in the support.tgz file.
For more information about the support.tgz file, see Traffic and Performance Statistics (Status Report).
There is a limited amount of storage on your Firebox for log message data. To save all the log messages you might need for later review, make sure to also configure your Firebox to send log messages to one or more instances of Dimension or WSM Log Servers. For more information, see the WatchGuard Log Server section.
By default, the Firebox sends log messages about external interface performance and VPN bandwidth statistics to your log file. To disable this type of log message, click Performance Statistics.
For more information, see Include Performance Statistics in Log Messages.
Diagnostic Log Level
To set the level of diagnostic logging to write to your log file or to view in Traffic Monitor for each logging category, click Diagnostic Log Level.
For more information, see Set the Diagnostic Log Level.
For more information about Traffic Monitor, see Device Log Messages (Traffic Monitor).
- To send a log message to the selected log message destinations when the configuration for your Firebox changes, select the Send log messages when the configuration for this Firebox is changed check box.
You can review these Firebox audit trail log messages in Log Manager or in the Audit Trail report.
- Click OK.