WatchGuard Log Server is a component of WatchGuard Server Center. It is a local database that can collect log message data from each connected Firebox or WatchGuard server. You can install the WatchGuard Log Server on the computer that is your management computer, or on a different computer. You can also add additional Log Servers for backup and scalability. To do this, use the WatchGuard System Manager (WSM) installation program and select to install only the Log Server component. For more information about installation, see Set Up Your Log Server.
Log Message Data
A Log Server receives information on TCP ports 4107 and 4115. Each Firebox that connects to the Log Server first sends its name, serial number, time zone, and software version, then sends log data as new events occur. The information that Fireboxes send includes traffic, alarm, event, debug, and performance statistics log messages. The serial number (SN) of the Firebox is used to uniquely identify the Firebox in the Log Server database. Though the log messages sent to your Log Server can originate from many time zones, the Log Server stores all log messages in UTC format.
The Log Server uses several processes and modules to collect and store log message data.
- wlcollector.exe is the log collector process, which runs two modules:
- ap_collector gets the logs from the Firebox and puts them in the Log Server database.
- ap_notify gets alarms from the Firebox and sends the type of notifications you select.
Log messages are sent to the WatchGuard Log Server in XML (plain text) format and are encrypted for transit with an SSL connection (AES 256-bit). Log data is not encrypted while stored in the Log Server database.
After your Log Server has collected the log data from your Fireboxes, you can use the WatchGuard Report Server to periodically consolidate the data and generate reports.
When the Report Server gets data from the Log Server, that log message data is sent over an encrypted SSL connection (AES 256-bit).
For more information about the Report Server, see About the Report Server.
WatchGuard Log Server uses the wlcollector.log and ap_collector.log files to store information about Firebox and database connections. This information includes authentication errors, challenge and response mismatches, and database access errors.
These files are stored by default in this directory:
Log Server Databases
Log information is stored in a PostgreSQL database. The Log Server uses multiple instances of the PostgreSQL database to manage its global database. Each instance of the PostgreSQL database appears in Windows Task Manager as a separate PostgreSQL process.
Each Log Server has four main database tables that store the log messages for all Fireboxes. The Log Server creates fixed-size partitions to store the log information in these databases. To manually modify the contents of the Log Server database, you can use the PostgreSQL command prompt or a third-party application such as pgadmin.
When a Firebox connects to the Log Server for the first time, the Log Server updates the global database with information about the new Firebox. Log messages from each Firebox are sent to one of the four Log Server database tables. The data in these tables is used when you look at log files or create a report in WatchGuard WebCenter.
Reports generated by a WatchGuard Report Server are stored as XML files in this directory:
Performance and Disk Space
You can configure several Fireboxes to send log information to a single Log Server. This number is strictly limited only by available disk space. However, the exact number of Fireboxes you can connect to your Log Server depends on the size and speed of its hard drives, the amount of available RAM, the number of processors, and the amount of log traffic each connected Firebox sends to the Log Server. To greatly increase the performance of your Log Server, add a faster hard drive, more memory, or another processor.
You can configure the Log Server to automatically remove old log messages from the database. When you first set up a Log Server, we recommend that you measure how much disk space is used in an average day. Estimate how many days of log messages you can keep before the database takes up too much disk space, then change the settings to match that time interval. When log messages are removed from the database, the disk space is reused when new log entries are created.
The reindexdb utility rebuilds the indexes in one or more PostgreSQL database tables for better performance. This utility should be run only at the recommendation of a WatchGuard Support representative.
You can use the Log Manager and Report Manager pages of the interactive WatchGuard WebCenter web UI to see the details in your log files, view generated reports from your Fireboxes and WatchGuard servers, and generate on-demand reports. You can pivot on the data in any report to see the granular details included in the report. Each report includes links to related report details.