Fireware “How To” Logging and Notification Introduction

Fireware “How To”
Logging and Notification
How do I set up a Log Server?
Introduction
The Log Server collects logs from a WatchGuard Firebox. The log message format is XML (plain text). The information
collected from firewall devices includes traffic log messages, event log messages, alarms, and diagnostic messages.
You can install the Log Server on the computer you are using as a management station at the same time you install
the WatchGuard System Manager (WSM) management software. Or, you can install the Log Server software on a different computer using the WSM installation program and selecting to install only the Log Server component.
You can also add backup Log Servers to your Firebox configuration. If the primary Log Server goes down, the Firebox
will send log messages to the next Log Server in the list.
Is there anything I need to know before I start?
The Log Server and the Firebox must be set to the same system time. We recommend that you set the system
time on both the Firebox and on any computer configured as a WatchGuard Log Server with NTP. On the Firebox,
you can do this from Policy Manager by selecting Setup > NTP.
Setting up a WatchGuard Log Server
1
On the computer that has the Log Server software installed, select the Log Server icon from the WatchGuard
toolbar.
The WatchGuard Log Server Configuration dialog box appears.
1
2
Type the encryption key to use for the secure connection between the Firebox and the Log Server.
Log Server encryption keys are a minimum of eight characters. The first time you connect to a Log Server, the default log
encryption key is the status passphrase you set when you used the Quick Setup Wizard on your management station.
3
4
5
6
Confirm the encryption key.
Select a directory to keep all logs, reports, and report definition files.
Click OK.
Click Start > Control Panel. Go to Power Options. Select the Hibernate tab and disable hibernation. This is to
prevent the Log Server from shutting down when the computer hibernates.
Setting Global Logging and Notification Preferences
To see the Log Server status and configuration, right-click the Log Server icon on the WatchGuard® toolbar and select
Status/Configuration. The status and configuration information appears. There are three control areas:
Log Files tab
To set the options for rolling your log file.
Reports tab
To schedule regular reports of log entries.
Notification tab
To control notification.
Log file size and rollover frequency
You can control the log rollover by size or by time. When this rollover occurs, the Log Server closes the current log file
and opens a new log file. The closed log file can be used for reports, or copied or moved to a different archive location.
To find the best rollover size for your company, you must look at:
• Storage space that is available
• Number of days you want available
• Size that is best to keep, open, and view
• Number of event types that are recorded
For example, a small company can get 10,000 entries in two weeks, and a large company with many policies
enabled can easily have 100,000 entries in a day.
• Traffic on the Firebox®
• Number of reports to create
To create a weekly report, it is necessary to have eight or more days of data. This data can be found in more than
one log file, if the log files are in the same location.
It is good to monitor the new log files and adjust the configuration as necessary.
2
Setting Global Logging and Notification Preferences
Setting the interval for log rollover
You can control when the log files roll over in the Log Files tab in the Log Server configuration interface. You also can
manually start a rollover of the current log file. To do this, select File > Roll current log file from the Status/Configuration window.
1
Click the Log Files tab.
2
To roll the log file on a time interval, select the Roll Log Files By Time Interval check box. Set the time interval.
From the Next Log Roll is Scheduled For drop-down list, select a date when the log file rolls.
To roll the log file based on the size of the log file, select the Roll Log Files By File Size check box. Type the
maximum size for the log file before the file rolls, or use the value control to set the number.
Click Save Changes or Close.
3
4
The Log Server interface closes and saves your entries. The new configuration starts immediately.
The Log Server restarts automatically.
Scheduling log reports
If you have created network activity reports using Historical Reports, you can schedule the Log Server component to
automate the reports. You first must create a report in Historical Reports, or it does not appear in the Log Server interface.
1
Click the Reports tab.
2
3
4
Use the radio buttons to set the time interval for reports: daily, weekly, first day of the month, or at a custom time.
From the Next Scheduled Report drop-down list, select a date and time for the subsequent scheduled report.
Click Save Changes or Close.
The Log Server interface closes and saves your entries. The new configuration starts immediately.
The Log Server restarts automatically.
Controlling notification
You can configure the Firebox to send an e-mail message when a specified event occurs. Use the Notification tab to
configure the destination e-mail address. See your configuration guide for information about configuring notifications.
1
Click the Notification tab.
2
In the Email Address text box, type the e-mail address that you would like notification e-mails to be sent to. This
address is frequently an alias for the group within your organization that is responsible for the Firebox or network
security.
In the Mail Host text box, type the name of the SMTP e-mail host that the Firebox should connect to when it
must send a notification e-mail.
Click Save Changes or Close.
3
4
The Log Server interface closes and saves your entries. The new configuration starts immediately.
The Log Server restarts automatically.
Starting and stopping the Log Server
You can manually stop or start the Log Server:
• To start the Log Server, right-click the Log Server icon on the toolbar and select Start Service.
• To stop the Log Server, right-click the Log Server icon on the toolbar and select Stop Service.
Frequently Asked Questions About This Procedure
My desktop firewall seems to be stopping log messages from reaching my Log Server. What should I do?
Desktop firewalls can block the ports necessary for WatchGuard® server components to operate. Before installing
the Management Server, Log Server, or WebBlocker Server on a computer with an active desktop firewall, you
might need to open the necessary ports on the desktop firewall. Windows Firewall users do not need to change
their configuration.
This table shows the ports you must open on a desktop firewall.
4
Server Type/Appliance Software
Protocol/Port
Management Server
TCP 4109, TCP 4110, TCP 4112, TCP 4113
Log Server
with Fireware™ appliance software
with WFS appliance software
TCP 4115
TCP 4107
WebBlocker Server
TCP 5003, UDP 5003
Is the WatchGuard Log Server compatible with previous versions of WatchGuard System Manager that used
a WSEP?
Firebox devices with WatchGuard Firebox System version 7.4 or earlier can send log messages to a WatchGuard
System Manager 8.0 Log Server or to a WatchGuard Security Event Processor 7.3 or earlier. But, Fireboxes with
Fireware appliance software cannot send log messages to a WatchGuard Security Event Processor 7.3 or earlier.
How do I configure backup Log Servers?
From Policy Manager, select Setup > Logging. Click Configure, as shown below. Click Add to add the IP address
of another Log Server. Repeat if necessary to add more Log Servers. Make sure you install the Log Server software
on each backup Log Server before you continue.
How do I change my log encryption key?
To change the encryption key on the Log Server:
1
2
3
4
Right-click the Log Server icon on the WatchGuard toolbar and select Status/Configuration.
Select File > Set Log Encryption Key.
Type the new log encryption key two times.
In Policy Manager, select Setup > Logging. Click on the IP address of the Log Server whose log encryption key
you want to change and click Edit. Type your new log encryption key and confirm it. Make sure you save your
changes to the Firebox.
5
Click OK.
SUPPORT:
COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Techwww.watchguard.com/support
nologies, Inc. in the United States and/or other countries.
U.S. and Canada +877.232.3531
All Other Countries +1.206.613.0456
5
6