Configure Log Server Settings for Cloud-Managed Fireboxes

Applies To: Cloud-managed Fireboxes

In WatchGuard Cloud, you can configure a cloud-managed Firebox to send log messages to Dimension or Syslog servers in order to retain log messages longer than the normal data retention period in WatchGuard Cloud.

On the Device Configuration page for a cloud-managed Firebox, the Log Servers tile shows the Log Servers and their status (Enabled or Disabled).

Screen shot of Device Configuration, Log Server status

For information on how to configure log servers, see:

Configure Dimension Server Settings

You can add a primary and a backup Dimension server. If the Firebox cannot connect to the primary Dimension server, it tries to connect to the backup Dimension server.

When the primary Dimension server is not available, and the Firebox is connected to a backup Dimension server, the Firebox tries to reconnect to the primary Dimension server every 6 minutes. When the Firebox attempts to reconnect to the primary server, it does not impact the existing connection to the backup server until the primary server is available. The Firebox reconnects to the primary server when it is available.

Depending on your configuration, your Dimension server might run out of storage quicker than expected. Make sure you plan your Dimension deployment to handle the volume of log messages.

Send Log Messages to a Dimension Server

You can configure your cloud-managed Firebox to send log messages to a Dimension server. For information on how to set up the Dimension server, see Install WatchGuard Dimension.

To send log messages to a Dimension server: 

  1. In WatchGuard Cloud, select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Log Servers tile.
    The Log Servers page opens. If the device is subscribed to a template that includes a log server, you cannot edit the page. To edit the page, you must remove the template.

Screen shot of Device Configuration, Dimenion server

  1. Select the Send Log Messages to Dimension check box.
  2. Click Add Log Server.
    The Add WatchGuard Log Server dialog box opens.

Screen shot of Device Configuration, Add Log Server

  1. In the IP Address or FQDN text box, type the IP address or fully qualified domain name (FQDN) of the primary Dimension server.
  2. In the Authentication Key text box, type the authentication key for this Dimension server.
    This is the Authentication Key you configured when you set up your instance of Dimension. The Authentication Key must be 8–32 characters, and can include any character except spaces and slashes (/ or \).
  3. Click Add.
    The Dimension Log Server and its priority appears in the Log Server list.
  4. Repeat Steps 6 — 9 to add a backup Dimension server.
    This list shows a summary of the configured log servers, including their IP addresses or domain names, and priority.
  5. To change the priority of a Dimension server, click and drag the row to the top or bottom of the list.
  6. To save configuration updates to the cloud, click Save.

Remove a Dimension Server

You can remove a server from the list. When you remove the primary Dimension server, the backup server becomes the primary server. If there is only one server and it fails, you will no longer receive log messages.

To remove a Dimension server:

  1. In the list of servers, next to the IP address or domain name, click .
  2. Select Delete Log Server.

Configure Syslog Server Settings

Syslog is a log interface developed for UNIX but also used by a number of computer systems. You can configure the Firebox to send syslog log messages to a maximum of three servers.

For Fireboxes that are not cloud-managed, multiple syslog servers are supported in Fireware v12.4 and higher.

For each syslog server, you must specify the IP address and port for connections to the server.

Syslog log messages are not encrypted. We recommend that you do not send log messages to a syslog server through the external interface. For better security, we recommend that you put your syslog server on your trusted network.

For each syslog server you add, you specify the log message format. The Firebox can send log messages in two log formats: Syslog or IBM LEEF. To send log messages to a syslog server, specify the Syslog log format. To send log messages to an IBM QRadar server, specify the IBM LEEF log format. For the IBM LEEF log format, you have the option to include syslog headers.

You can specify the syslog facility to use for each log message type. The syslog facility determines the relative priority of each log message. Lower numbers indicate higher priority. For high-priority log messages, such as alarms, select Local0. For lower priority log message types, select Local1Local7. You can specify the syslog facility for five log message types:

  • Alarm
  • Traffic
  • Event
  • Diagnostic
  • Performance

For information about the different types of messages, see Types of Log Messages.

When you select the IBM LEEF log format, the Firebox sends only log messages that include the msg-id field to your QRadar server. When you select the IBM LEEF log format, the Firebox does not send Performance log messages to the QRadar server.

Log messages in IBM LEEF log format include the LEEF header, with these details:

  • LEEF Version
  • Vendor Name
  • Product Name
  • Product Version
  • Event ID

For example:

  • LEEF Version — LEEF: 1.0
  • Vendor Name — WatchGuard
  • Product Name — Firebox
  • Product Version — 12.1.B548280
  • Event ID — 1AFF000B (message ID)

For a QRadar server, you must select the option to include the syslog header before you can configure syslog facility settings. If you select to include the syslog header in the log messages sent to a QRadar server, log messages do not include the host name and time stamp.

Before you configure your Firebox to send log messages to a syslog or QRadar server, you must have a syslog or QRadar server configured, operational, and ready to receive log messages.

Send Log Messages to a Syslog Server

You can add up to three syslog servers. The Firebox can send log messages in two formats: Syslog or IBM LEEF. The details you can include in the log messages depend on the log message format you select.

To send log messages to a syslog server: 

  1. In WatchGuard Cloud, select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. Click the Log Servers tile.
    The Log Servers page opens.

Screen shot of Device Configuration, Syslog server

  1. Select the Send Log Messages to Syslog Server check box.
  2. Click Add Log Server.
    The Add Syslog Server page opens.

Screen shot of Device Configuration, Add Syslog Server  

  1. In the IP Address text box, type the syslog server IP address.
  2. In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
  3. From the Format drop-down list, select Syslog or IBM LEEF.
  4. (IBM LEEF log format only) To include the syslog header in the log message details, select the Include syslog headers check box.

Screen shot of Device Configuration, Add Syslog Server - LEEF

  1. For each type of log message, select a syslog facility from the drop-down list.
    If you select the IBM LEEF log format, you must select the Include syslog headers check box before you can select a syslog facility for the log message types.
    • For high priority syslog messages, such as alarms, select Local0.
    • To assign priorities for other types of log messages (lower numbers have higher priority), select Local1Local7.
    • To not send details for a message type, select NONE.
  2. Click Save.
  3. To remove a Log Server, next to the IP address, click and select Delete Log Server.
  4. To save configuration updates to the cloud, click Save.

Related Topics

Add a Cloud-Managed Firebox to WatchGuard Cloud

About Firebox Logging and Notification

Types of Log Messages