Types of Log Messages | WatchGuard Technologies Firebox X specs

CHAPTER 5 Reviewing and Working with Log

Files

WatchGuard® System Manager includes strong and flexible log message tools. An important feature of a good network security policy is to log messages from your security systems, to examine those records fre- quently, and to keep them in an archive. You can use logs to monitor your network security, identify any security risks, and address them.

The WatchGuard Firebox X Core and Firebox X Peak send log messages to a shared log management sys- tem called the Log Server. They can also send log messages to a Syslog server or keep logs locally on the Firebox. It is your decision to send logs to any or all of these locations.

You can use Firebox System Manager to log messages in the Traffic Monitor tab. For more information, see the Configuration Guide. You can also examine log messages with LogViewer. The log messages are kept in an XML file with a .wgl.xml extension in the WatchGuard directory on the log server. You can open this file using any XML editing tool to see full log messages.

Types of Log Messages

The Firebox® sends four types of log messages. Log messages created with Fireware appliance software include the name of the log type in each log message. Log messages created with WFS appliance software give the same data, but do not include the log type category name in the body of the message.

•Traffic

•Alarm

•Event

•Diagnostic

Traffic log messages

The Firebox sends traffic log messages as it applies packet filter and proxy rules to traffic that goes through the Firebox.

User Guide

37

Image 43

WatchGuard Technologies Firebox X manual Reviewing and Working with Log Files, Types of Log Messages, Traffic log messages

Contents

WatchGuardSystem Manager User Guide Address Contents Copy the online help system to more computers Setting Up Logging and Notification Importing Certificates Microsoft Internet Explorer 5.5 LogViewer Settings Apache Software License, Version 2.0, January Log Server Getting StartedAbout WatchGuard System Manager WatchGuard Management Server About Hardware and Appliance Software Installing WatchGuard System Manager Network addresses License Keys Optional interfaces 1Network IP Addresses Without the FireboxExternal interface Trusted interface Strong Software encryption levelsBase Uses 40-bit encryption Putting the Firebox into operation on your network Setting Up Your Management Server Admin password Master password Installation Topics After Your Installation Routed configuration WFS appliance software configuration modes Drop-in configuration Dynamic IP support on the external interface Adding secondary networks to your configurationTo add a secondary networks, do one of these procedures Use the Quick Setup Wizard during installation About slash notation Entering IP addresses Installing the Firebox cables Installation Topics Easy software updates Service and SupportLiveSecurity Service Solutions Threat responses, alerts, and expert advice LiveSecurity Service Broadcasts Basic FAQs LiveSecurity Service Self Help ToolsNew from WatchGuard Online Training Advanced FAQsKnown Issues Interactive Support Forum Online Help Using the WatchGuard Users ForumWatchGuard Users Forum WatchGuard Users Group Software requirements Product DocumentationTechnical Support Copy the online help system to more computers Hours Web Site Service TimeWe try to supply a solution in a maximum time of four hours Type of Service Training and Certification From the Windows Desktop Monitoring Your NetworkStarting WatchGuard System Manager About the WatchGuard System Manager Window Log Connecting to a FireboxDisconnecting from a Firebox Device Seeing Information about Devices Connecting to a ServerType the password for the Management Server Disconnecting from a Server Certificates Firebox StatusBranch Office VPN Tunnels No exclamation point Seeing Information on Log ServersMobile user VPN tunnels Pptp user VPN tunnels Monitoring VPNs Firebox Manager About the WatchGuard ToolbarStarting Security Applications Policy Manager Historical Reports Quick Setup WizardHostWatch Log Viewer Setting Up the Log Server Setting Up Logging and NotificationLog Server collects logs from each WatchGuard Firebox Configuration Guide for your version of appliance software WatchGuard Log Server Configuration dialog box appears Type the new log encryption key two times Click OK Setting Global Logging and Notification Preferences Click Save Changes or Close Click Save Changes Setting Global Logging and Notification Preferences Traffic log messages Traffic Alarm Event DiagnosticReviewing and Working with Log Files Types of Log Messages Starting LogViewer Alarm log messagesDiagnostic log messages Log File Names and Locations Browse to find the log file and click Open LogViewer Settings Click to set the format of the logs to the default colors Changing LogViewer settings with WFS appliance software Select Edit Find Using LogViewer Paste the data into any text editor Click Browse to find the files to put together Click Merge Click File Merge log files Using LogViewer Using LogViewer Creating and Editing Reports Generating Reports of Network Activity Type the report name From Historical Reports, click AddSelect the filter Type the Firebox IP address or host name. Click Add Specifying a Report Time IntervalChange the report definition Specifying Report Sections To consolidate report sections Setting Report PropertiesType the number of items to put in the table Exporting Reports Complete the Filter tabs Using Report Filters Change the filter properties When finished, click OKRunning Reports Report Sections and Consolidated Sections Report Sections and Consolidated Sections Session Summary Proxied Traffic Consolidated sections Report Sections and Consolidated Sections Public Key Cryptography and Digital Certificates Managing Certificates Certificate AuthorityPKI in a WatchGuard VPN From the menu, select the correct Managing the Certificate AuthorityCertificate Authority CA Certificate Find and Manage Certificates Management Server CA CertificateGenerate a New Certificate GWvpn gateway name Destroy RevokeReinstate Puts back a certificate that was revoked before Importing Certificates Managing the Firebox X Edge Firebox Soho Netscape Netscape Communicator System Status Troubleshooting ideasAdministration Managing the Firebox X Edge or Soho Device Logging Removing CertificatesSystem security and remote management Firewall Select File Soho Management Clean up on PC Removing Certificates WatchGuard Firebox Software End-User License Agreement Appendix a Copyright and Licensing WatchGuard System Manager Copyright and Trademarks OpenSSL License Licenses Original SSLeay License Apache Software License, Version 2.0, January Licenses Pcre License GNU Lesser General Public License Licenses Licenses Licenses GNU General Public License Licenses Licenses Licenses Sleepycat License Licenses General File Locations Appendix B WatchGuard File Locations Quick Setup Wizard Default File Locations HostWatch for Fireware Appliance Software Firebox System Manager for Fireware Appliance SoftwarePolicy Manager for Fireware Appliance Software Policy Manager for WFS Appliance Software WatchGuard System Manager LogViewer Firebox System Manager for WFS Appliance SoftwareHostWatch for WFS Appliance Software Flash Disk Management for WFS Appliance Software WebBlocker Server Management ServerLog Server User Interface Log Server for WFS Appliance Software Log Server for Fireware Appliance SoftwareHistorical Reports Log Merge Management Server Setup WizardManagement Server User Interface WatchGuard Certificate Authority Default File Locations Index Muvpn Wctp 100