About Logging, Log Files, and Notification

An important feature of network security is to gather messages from your security systems, to examine those records frequently, and to keep them in an archive for future reference. The WatchGuard log message system creates log files with information about security related events that you can review to monitor your network security and activity, identify security risks, and address them.

A log file is a list of events, along with information about those events. An event is one activity that occurs on the Firebox or XTM device. An example of an event is when the device denies a packet. Your device can also capture information about allowed events to give you a more complete picture of the activity on your network.

The WatchGuard log message system has several components, which are described in the subsequent sections.

About Log Messages

Your Firebox or XTM device and WatchGuard servers can send log messages to your WatchGuard Log Server. Firebox or XTM devices can also send log messages to a syslog server or keep logs locally on the device. You can choose to send log messages to one or both of these locations.

For more information about some of the log messages generated by your Firebox or XTM device, see the Fireware XTM Log Catalog.

Log Servers

There are two methods to save log files with Fireware XTM Web UI:

WatchGuard Log Server

You can use the of WatchGuard System Manager (WSM) Log Server or the Dimension Log Server. If you have a Firebox or XTM device, you can configure a Log Server to collect log messages for your device.


This is a log interface developed for UNIX but also used on many other computer systems. If you use a syslog host, you can set your Firebox or XTM device to send log messages to your syslog server. To find a syslog server compatible with your operating system, search the Internet for "syslog daemon".

If your Firebox or XTM device is configured to send log files to a WSM or Dimension Log Server and the connection fails, the log files are not collected. You can configure your device to also send log messages to a syslog host that is on the local trusted network to prevent the loss of log files.

For more information about sending log messages to a WatchGuard Log Server, see Send Log Messages to a WatchGuard Log Server.

For more information about WatchGuard Dimension, see the WatchGuard Dimension Help.

For more information about sending log messages to a syslog host, see Configure Syslog Server Settings.

Logging and Notification in Applications and Servers

The Log Server can receive log messages from your XTM device or a WatchGuard server. After you have configured your XTM device and Log Server, the device sends log messages to the Log Server. You can enable logging in the various WSM applications and policies that you have defined for your XTM device to control the level of logs that you see. If you choose to send log messages from another WatchGuard server to the Log Server, you must first enable logging on that server.

System Status Traffic Monitor

On the Fireware XTM Web UI Traffic Monitor page, you see log messages from your XTM device as they occur. On some networks, there can be a short delay as log messages are sent. Traffic Monitor can help you troubleshoot network performance. For example, you can see which policies are used most, or whether external interfaces are constantly used to their maximum capacity.

For more information, see Traffic Monitor.

See Also

Configure Syslog Server Settings

Traffic Monitor

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base