Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
After you add a FireCluster to WatchGuard Cloud, the FireCluster sends log messages to WatchGuard Cloud. FireCluster logging is enabled by default. You can view log messages in WatchGuard Cloud and create search queries to find FireCluster events.
To send log messages to a Dimension or a syslog server, go to Configure Log Server Settings for Cloud-Managed Fireboxes.
Disable Logging
If you disable logging, the FireCluster remains connected to WatchGuard Cloud but does not send log messages.
To disable FireCluster logging to WatchGuard Cloud:
- Log in to your WatchGuard Cloud account.
- Select Configure > Devices.
- Select the cluster.
- In the FireCluster Logging section, disable Logging.
The FireCluster immediately stops sending log messages to WatchGuard Cloud.
Enable Logging
To enable FireCluster logging to WatchGuard Cloud:
- Log in to your WatchGuard Cloud account.
- Select Configure > Devices.
- Select the cluster.
- In the FireCluster Logging section, enable Logging.
The FireCluster sends log messages to WatchGuard Cloud.
View and Search Logs
To view FireCluster log messages in WatchGuard Cloud:
- Log in to your WatchGuard Cloud account.
- Select Monitor > Devices.
- In the Logs section, click Log Manager.
- From the drop-down list, select Event Logs or All Logs. FireCluster log messages are typically events.
For more information about Log Manager, go to Log Manager (WatchGuard Cloud).
To search the logs for FireCluster events:
- Log in to your WatchGuard Cloud account.
- Select Monitor > Devices.
- In the Logs section, click Log Search.
- From the drop-down list, select All Logs.
- To find cluster-related messages, you can create simple or complex search queries. For example:
- Specify keywords such as cluster*, master*, or failed over. You can specify basic Boolean operators between words.
- Specify a cluster-related process ID such as crd or cvd.
- Specify a custom date and time range.
- Combine search query methods. For example, specify a custom date and time range and the process IDs crd, cvd, and networkd.
-
To save your search results to a .CSV file, click
.
For more information about search queries, go to Log Search (WatchGuard Cloud).
Example Log Messages
FireCluster Reboot
After a cluster master reboot, event messages appear in the log that describe the cluster member role change:
- Member [serial number] changed role to backup sync
- Cluster A/P role successfully changed from idle to backup master
- Cluster member [serial number] changed role from backup master to master
- Master [serial number] failed over to member [serial number]
- Member [serial number] is now master
- Member [serial number] changed role to master
- Cluster A/P role successfully changed from backup master to master
- Failed over from backup to master
- Cluster member [serial number] changed role from backup master to master
After a backup master reboot, these event messages appear in the log:
- [Interface name] Interface link status changed to down
- Monitored interface [interface name] link is down
- Master [serial number] detected loss of heartbeat from member [serial number], cluster channel is up
- [Interface name] Interface link status changed to up
- Monitored interface [interface name] link is up
- [Interface name] Interface link status changed to down
- [Interface name] Interface link status changed to up
- System back up succeeded
- Full state synchronization from master [serial number] to backup master [serial number] completed successfully
