Fireware “How To” Logging and Notification Introduction
Transcription
Fireware “How To” Logging and Notification Introduction
Fireware “How To” Logging and Notification How do I set up a Log Server? Introduction The Log Server collects logs from a WatchGuard Firebox. The log message format is XML (plain text). The information collected from firewall devices includes traffic log messages, event log messages, alarms, and diagnostic messages. You can install the Log Server on the computer you are using as a management station at the same time you install the WatchGuard System Manager (WSM) management software. Or, you can install the Log Server software on a different computer using the WSM installation program and selecting to install only the Log Server component. You can also add backup Log Servers to your Firebox configuration. If the primary Log Server goes down, the Firebox will send log messages to the next Log Server in the list. Is there anything I need to know before I start? The Log Server and the Firebox must be set to the same system time. We recommend that you set the system time on both the Firebox and on any computer configured as a WatchGuard Log Server with NTP. On the Firebox, you can do this from Policy Manager by selecting Setup > NTP. Setting up a WatchGuard Log Server 1 On the computer that has the Log Server software installed, select the Log Server icon from the WatchGuard toolbar. The WatchGuard Log Server Configuration dialog box appears. 1 2 Type the encryption key to use for the secure connection between the Firebox and the Log Server. Log Server encryption keys are a minimum of eight characters. The first time you connect to a Log Server, the default log encryption key is the status passphrase you set when you used the Quick Setup Wizard on your management station. 3 4 5 6 Confirm the encryption key. Select a directory to keep all logs, reports, and report definition files. Click OK. Click Start > Control Panel. Go to Power Options. Select the Hibernate tab and disable hibernation. This is to prevent the Log Server from shutting down when the computer hibernates. Setting Global Logging and Notification Preferences To see the Log Server status and configuration, right-click the Log Server icon on the WatchGuard® toolbar and select Status/Configuration. The status and configuration information appears. There are three control areas: Log Files tab To set the options for rolling your log file. Reports tab To schedule regular reports of log entries. Notification tab To control notification. Log file size and rollover frequency You can control the log rollover by size or by time. When this rollover occurs, the Log Server closes the current log file and opens a new log file. The closed log file can be used for reports, or copied or moved to a different archive location. To find the best rollover size for your company, you must look at: • Storage space that is available • Number of days you want available • Size that is best to keep, open, and view • Number of event types that are recorded For example, a small company can get 10,000 entries in two weeks, and a large company with many policies enabled can easily have 100,000 entries in a day. • Traffic on the Firebox® • Number of reports to create To create a weekly report, it is necessary to have eight or more days of data. This data can be found in more than one log file, if the log files are in the same location. It is good to monitor the new log files and adjust the configuration as necessary. 2 Setting Global Logging and Notification Preferences Setting the interval for log rollover You can control when the log files roll over in the Log Files tab in the Log Server configuration interface. You also can manually start a rollover of the current log file. To do this, select File > Roll current log file from the Status/Configuration window. 1 Click the Log Files tab. 2 To roll the log file on a time interval, select the Roll Log Files By Time Interval check box. Set the time interval. From the Next Log Roll is Scheduled For drop-down list, select a date when the log file rolls. To roll the log file based on the size of the log file, select the Roll Log Files By File Size check box. Type the maximum size for the log file before the file rolls, or use the value control to set the number. Click Save Changes or Close. 3 4 The Log Server interface closes and saves your entries. The new configuration starts immediately. The Log Server restarts automatically. Scheduling log reports If you have created network activity reports using Historical Reports, you can schedule the Log Server component to automate the reports. You first must create a report in Historical Reports, or it does not appear in the Log Server interface. 1 Click the Reports tab. 2 3 4 Use the radio buttons to set the time interval for reports: daily, weekly, first day of the month, or at a custom time. From the Next Scheduled Report drop-down list, select a date and time for the subsequent scheduled report. Click Save Changes or Close. The Log Server interface closes and saves your entries. The new configuration starts immediately. The Log Server restarts automatically. Controlling notification You can configure the Firebox to send an e-mail message when a specified event occurs. Use the Notification tab to configure the destination e-mail address. See your configuration guide for information about configuring notifications. 1 Click the Notification tab. 2 In the Email Address text box, type the e-mail address that you would like notification e-mails to be sent to. This address is frequently an alias for the group within your organization that is responsible for the Firebox or network security. In the Mail Host text box, type the name of the SMTP e-mail host that the Firebox should connect to when it must send a notification e-mail. Click Save Changes or Close. 3 4 The Log Server interface closes and saves your entries. The new configuration starts immediately. The Log Server restarts automatically. Starting and stopping the Log Server You can manually stop or start the Log Server: • To start the Log Server, right-click the Log Server icon on the toolbar and select Start Service. • To stop the Log Server, right-click the Log Server icon on the toolbar and select Stop Service. Frequently Asked Questions About This Procedure My desktop firewall seems to be stopping log messages from reaching my Log Server. What should I do? Desktop firewalls can block the ports necessary for WatchGuard® server components to operate. Before installing the Management Server, Log Server, or WebBlocker Server on a computer with an active desktop firewall, you might need to open the necessary ports on the desktop firewall. Windows Firewall users do not need to change their configuration. This table shows the ports you must open on a desktop firewall. 4 Server Type/Appliance Software Protocol/Port Management Server TCP 4109, TCP 4110, TCP 4112, TCP 4113 Log Server with Fireware™ appliance software with WFS appliance software TCP 4115 TCP 4107 WebBlocker Server TCP 5003, UDP 5003 Is the WatchGuard Log Server compatible with previous versions of WatchGuard System Manager that used a WSEP? Firebox devices with WatchGuard Firebox System version 7.4 or earlier can send log messages to a WatchGuard System Manager 8.0 Log Server or to a WatchGuard Security Event Processor 7.3 or earlier. But, Fireboxes with Fireware appliance software cannot send log messages to a WatchGuard Security Event Processor 7.3 or earlier. How do I configure backup Log Servers? From Policy Manager, select Setup > Logging. Click Configure, as shown below. Click Add to add the IP address of another Log Server. Repeat if necessary to add more Log Servers. Make sure you install the Log Server software on each backup Log Server before you continue. How do I change my log encryption key? To change the encryption key on the Log Server: 1 2 3 4 Right-click the Log Server icon on the WatchGuard toolbar and select Status/Configuration. Select File > Set Log Encryption Key. Type the new log encryption key two times. In Policy Manager, select Setup > Logging. Click on the IP address of the Log Server whose log encryption key you want to change and click Edit. Type your new log encryption key and confirm it. Make sure you save your changes to the Firebox. 5 Click OK. SUPPORT: COPYRIGHT © 2006 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, and Core are registered trademarks or trademarks of WatchGuard Techwww.watchguard.com/support nologies, Inc. in the United States and/or other countries. U.S. and Canada +877.232.3531 All Other Countries +1.206.613.0456 5 6