Configure Notification Settings for the Log Server
With the release of Fireware v12.8, WatchGuard announced the deprecation of the WatchGuard Log Server, Report Server, and Quarantine Server. WSM still includes these server components, but they are no longer supported in v12.9 and higher. We will remove them in a future WSM release.
From WatchGuard Server Center, you can enable your Log Server to send notification messages when:
- The events you specify for policies, devices, and servers occur.
- A failure event occurs on a Firebox or the Log Server.
- The Log Server purges log messages from the database tables to reduce the size of the database.
When you select to send notifications for any of these events, you must also specify the email server to use to send the notification messages, and the email accounts to send and receive the messages. If you do not select the option to send a notification message for database purge events, you do not receive a message when your database exceeds 95% of the maximum database size setting you specified, but the database purge still occurs.
For more information about failure events for a device or the Log Server, go to the Failure Events section.
- In the Servers tree, select Log Server.
- Select the Notification tab.
The Notification page appears.
- To enable notification for failure events, select the Send an email notification for failure events check box.
For more information about failure events, go to Failure Events. - To enable notification for alarm events that occur on a device or server connected to the Log Server, select the Send an email notification for events from any appliance or server logging to this Log Server check box.
- Configure the SMTP Server Settings and Notification Setup settings, as described in the next sections.
- Click Apply to save your changes.
Configure SMTP Server Settings for your Log Server
When you configure the SMTP server settings for your Log Server, the Log Server uses your SMTP server to send notification messages for the events you specified. For email notification to work correctly, you must specify the address of an SMTP email server the Log Server can use to send these email messages.
The Log Server email notification does not support TLS for SMTP (for example, Microsoft 365 and Gmail services). Do not use SMTP ports 465 or 587. Dimension email notification does support TLS for SMTP. For more information, go to Configure Notification Settings for Dimension.
Before you configure the SMTP server settings, make sure you have the correct address for your SMTP server, and, if necessary, the correct user credentials. The default port for connections to the SMTP server is port 25. If your SMTP server accepts connections on a different port, you can specify the correct port number when you specify the address for your SMTP server.
In the SMTP Server Settings section:
- In the Outgoing email server (SMTP) text box, type the address of your SMTP server.
If your SMTP server accepts connections on a port other than port 25, type the address of your SMTP server in the format <localhost>:<port number>.
For example, smtp.example.com:42.
- If your email server requires authentication, select the Send credentials to the email server check box.
- In the User name text box, type the user name for the email server.
- In the Password text box, type the password for the email server.
If the user name and password are not required for your SMTP server, you can leave those text boxes blank.
Configure Notification Message Settings
If you select to send an email notification for events, you can specify the email accounts to use to send email notification messages and the subject text for the messages. The email accounts you select must be valid email accounts that your SMTP server recognizes.
In the Notification Setup section:
- In the Send email to text box, type the full email address of the account to which you want to send notification messages.
- In the Send email from text box, type the full email address of the account from which you want to send notification messages.
- In the Subject text box, type the subject line for the event notification messages.
- To send a test notification email to the address you specified, click Test Email.
A message appears that tells you if the notification email was sent successfully, or if it failed to send.
Failure Events
Log messages can be collected for failure events that occur on your Firebox and on the Log Server.
When a failure event occurs on a device or the Log Server, and you have enabled logging for failure events, a notification message is sent about the failure event. Failure events for the Log Server include PostgreSQL service failures, system failures, and network failures.
For a Firebox, a notification message is sent if the device fails to collect log messages.
For a Log Server, a notification message is sent for these failures:
- Lost database connection
If the connection to the database is lost and cannot be reestablished immediately, a notification message is sent. The server continues to try to connect to the database until the connection succeeds. The server sends a notification email every 15 minutes until the database connects to the server again.
- Database errors
This includes I/O errors, disk-full conditions, and any other database-related failures.
- Database backup errors
This includes any errors that occur when the log data is backed up (for example, I/O errors).
- Heartbeat detection error
When a device is connected to the Log Collector, the Log Server verifies that the log messages from a connected Firebox are being written to the database. If the Log Server detects that a device is connected, but no log messages have been written to the database for 15 minutes, it sends a notification message.
- Lost Report Server connection
The Log Server monitors when the Report Server contacts it to collect the log messages. This usually occurs every 15 minutes. If the Report Server does not contact the Log Server for three collection intervals (45 minutes), the Log Server sends a notification message. If the Report Server has not contacted the Log Server since the Log Server was last started, it is not considered a failure condition.
Configure Database Size, Authentication Key, and Diagnostic Log Settings