Configure Log Server Settings for Cloud-Managed Fireboxes
Applies To: Cloud-managed Fireboxes
In WatchGuard Cloud, you can configure a cloud-managed Firebox to send log messages to Dimension or Syslog servers in order to retain log messages longer than the normal data retention period in WatchGuard Cloud.
On the Device Configuration page for a cloud-managed Firebox, the Log Servers tile shows the Log Servers and their status (Enabled or Disabled).
For information on how to configure log servers, see:
Configure Dimension Server Settings
You can add a primary and a backup Dimension server. If the Firebox cannot connect to the primary Dimension server, it tries to connect to the backup Dimension server.
When the primary Dimension server is not available, and the Firebox is connected to a backup Dimension server, the Firebox tries to reconnect to the primary Dimension server every 6 minutes. When the Firebox attempts to reconnect to the primary server, it does not impact the existing connection to the backup server until the primary server is available. The Firebox reconnects to the primary server when it is available.
Depending on your configuration, your Dimension server might run out of storage quicker than expected. Make sure you plan your Dimension deployment to handle the volume of log messages.
Send Log Messages to a Dimension Server
You can configure your cloud-managed Firebox to send log messages to a Dimension server. For information on how to set up the Dimension server, see Install WatchGuard Dimension.
To send log messages to a Dimension server:
- In WatchGuard Cloud, select Configure > Devices.
- Select the cloud-managed Firebox.
- Click Device Configuration.
- Click the Log Servers tile.
The Log Servers page opens. If the device is subscribed to a template that includes a log server, you cannot edit the page. To edit the page, you must remove the template.
- Select the Send Log Messages to Dimension check box.
- Click Add Log Server.
The Add WatchGuard Log Server dialog box opens.
- In the IP Address or FQDN text box, type the IP address or fully qualified domain name (FQDN) of the primary Dimension server.
- In the Authentication Key text box, type the authentication key for this Dimension server.
This is the Authentication Key you configured when you set up your instance of Dimension. The Authentication Key must be 8–32 characters, and can include any character except spaces and slashes (/ or \). - Click Add.
The Dimension Log Server and its priority appears in the Log Server list. - Repeat Steps 6 — 9 to add a backup Dimension server.
This list shows a summary of the configured log servers, including their IP addresses or domain names, and priority. - To change the priority of a Dimension server, click and drag the row to the top or bottom of the list.
- To save configuration updates to the cloud, click Save.
Remove a Dimension Server
You can remove a server from the list. When you remove the primary Dimension server, the backup server becomes the primary server. If there is only one server and it fails, you will no longer receive log messages.
To remove a Dimension server:
- In the list of servers, next to the IP address or domain name, click .
- Select Delete Log Server.
Configure Syslog Server Settings
Syslog is a log interface developed for UNIX but also used by a number of computer systems. You can configure the Firebox to send syslog log messages to a maximum of three servers.
For Fireboxes that are not cloud-managed, multiple syslog servers are supported in Fireware v12.4 and higher.
For each syslog server, you must specify the IP address and port for connections to the server.
Syslog log messages are not encrypted. We recommend that you do not send log messages to a syslog server through the external interface. For better security, we recommend that you put your syslog server on your trusted network.
For each syslog server you add, you specify the log message format. The Firebox can send log messages in two log formats: Syslog or IBM LEEF. To send log messages to a syslog server, specify the Syslog log format. To send log messages to an IBM QRadar server, specify the IBM LEEF log format. For the IBM LEEF log format, you have the option to include syslog headers.
You can specify the syslog facility to use for each log message type. The syslog facility determines the relative priority of each log message. Lower numbers indicate higher priority. For high-priority log messages, such as alarms, select Local0. For lower priority log message types, select Local1 – Local7. You can specify the syslog facility for five log message types:
- Alarm
- Traffic
- Event
- Diagnostic
- Performance
For information about the different types of messages, go to Types of Log Messages.
When you select the IBM LEEF log format, the Firebox sends only log messages that include the msg-id field to your QRadar server. When you select the IBM LEEF log format, the Firebox does not send Performance log messages to the QRadar server.
Log messages in IBM LEEF log format include the LEEF header, with these details:
- LEEF Version
- Vendor Name
- Product Name
- Product Version
- Event ID
For example:
- LEEF Version — LEEF: 1.0
- Vendor Name — WatchGuard
- Product Name — Firebox
- Product Version — 12.1.B548280
- Event ID — 1AFF000B (message ID)
For a QRadar server, you must select the option to include the syslog header before you can configure syslog facility settings. If you select to include the syslog header in the log messages sent to a QRadar server, log messages do not include the host name and time stamp.
Before you configure your Firebox to send log messages to a syslog or QRadar server, you must have a syslog or QRadar server configured, operational, and ready to receive log messages.
Send Log Messages to a Syslog Server
You can add up to three syslog servers. The Firebox can send log messages in two formats: Syslog or IBM LEEF. The details you can include in the log messages depend on the log message format you select.
To send log messages to a syslog server:
- In WatchGuard Cloud, select Configure > Devices.
- Select the cloud-managed Firebox.
- Click Device Configuration.
- Click the Log Servers tile.
The Log Servers page opens.
- Select the Send Log Messages to Syslog Server check box.
- Click Add Log Server.
The Add Syslog Server page opens.
- In the IP Address text box, type the syslog server IP address.
- In the Port text box, the default syslog server port (514) appears. To change the server port, type or select a different port for your server.
- From the Format drop-down list, select Syslog or IBM LEEF.
- (IBM LEEF log format only) To include the syslog header in the log message details, select the Include syslog headers check box.
- For each type of log message, select a syslog facility from the drop-down list.
If you select the IBM LEEF log format, you must select the Include syslog headers check box before you can select a syslog facility for the log message types.- For high priority syslog messages, such as alarms, select Local0.
- To assign priorities for other types of log messages (lower numbers have higher priority), select Local1 – Local7.
- To not send details for a message type, select NONE.
- Click Save.
- To remove a Log Server, next to the IP address, click and select Delete Log Server.
- To save configuration updates to the cloud, click Save.
Add a Cloud-Managed Firebox to WatchGuard Cloud