ThreatSync Logging
Applies To: ThreatSync
Log messages can provide useful information to help you troubleshoot problems. This topic includes details of log messages related to ThreatSync activity in these areas:
- WatchGuard Cloud Audit Logs
- Firebox Traffic Logs
- WatchGuard Endpoint Security
- WatchGuard Access Points
WatchGuard Cloud Audit Logs
The Audit Logs page in WatchGuard Cloud includes audit logs for different types of ThreatSync activity. To find these audit logs, search for the text ThreatSync.
To view more details of the activity, click an audit log in the list.
For more information, go to See Audit Logs.
Firebox Traffic Logs
When a Firebox performs a ThreatSync action, such as block an IP address, the device generates traffic log messages. To find these log messages in WatchGuard Cloud, Fireware Web UI, or FSM, search Traffic Monitor for the text ThreatSync.
Example Firebox log messages:
May 25 00:13:29 2022 T70 local0.warn firewall: msg_id="3000-0173" fqdn_dst_match=www.youtube.com Deny Firebox External 84 icmp 20 64 192.168.2.1 172.16.1.1 8 0 id=32029 seq=6 geo_dst="USA" msg="blocked sites (ThreatSync destination)" (Any From Firebox-00)
May 25 00:14:31 2022 T70 local0.warn firewall: msg_id="3000-0173" Deny Firebox External 84 icmp 20 64 192.168.2.1 1.1.1.1 8 0 id=35869 seq=10 geo_dst="AUS" msg="blocked sites (ThreatSync destination)" (Any From Firebox-00)
May 16 16:49:53 2022 WatchGuard-XTM local3.info daas[4527]: ThreatSync xdr-remediations payload: {u'block_hosts': [u'1.1.1.2', u'1.1.1.1', u'www.example.com']}
WatchGuard Endpoint Security
WatchGuard Endpoint Security products do not generate log messages for ThreatSync actions.
WatchGuard Access Points
WatchGuard access points do not generate log messages for ThreatSync actions.
ThreatSync currently only detects and reports on wireless threats. ThreatSync does not remediate wireless threat incidents to prevent connections to the malicious access point or disconnect wireless clients that have already associated to a malicious access point.