In this article, we shall discuss the steps on how to set up WatchGuard Log Server. To effectively manage your network security, it’s crucial to set up a WatchGuard Log Server. This key component of WatchGuard Server Center acts as a local database, efficiently collecting log message data from every connected Firebox. Nonetheless, Gain real-time insights into log messages from your Firebox or XTM device, along with WatchGuard servers. Please see How to Set Up a WatchGuard XTM and Access WSM, and how to configure WatchGuard WebCenter.
Traffic Monitor (included by default by WatchGuard Firebox System Manager) to see the real-time log from the Traffic monitoring tab. But in order to view logs over a period of time, we need a log server (Log Manager).
What is WatchGuard Log Server?
WatchGuard Log Server is a component of WatchGuard Server Center. It is a local database that can collect log message data from each connected Firebox or WatchGuard server. You can install the WatchGuard Log Server on the computer that is your management computer, or on a different computer. Also, you can add an additional Log Servers for backup and scalability.
You can use the Log Manager and Report Manager pages of the interactive WatchGuard WebCenter web UI to see the details in your log files, view generated reports from your XTM devices and WatchGuard servers, and generate on-demand reports.
When you open a report, you can pivot on the data in any report to see the granular details included in the report. Each report includes links to related report details.
You may also want to see WatchGuard Firebox: Restoring Backups on XTM Device, how to configure WatchGuard WebCenter, and WatchGuard Log and Report Server Installation in a VM.
Download the Watchguard System Manager
Part A: Download and install the Watchguard System Manager software.
Install the Log, report server to the VM and as well as the WatchGuard system manager
– Access the WatchGuard Server Center (from the tray or start menu).
– General settings for Log and Report server configuration by confirming the encryption keys and passkeys carefully.
– Configure the Log and Report Server settings by Selecting the database location carefully by browsing to the defined path.
Note: Moreover, Once you’ve completed the setup of the WatchGuard Log Server. It’s important to note that altering the directory location for increased space cannot be done through the Log Server user interface.
Review and Finish
Part B: Configuring Firewall Ports for the WatchGuard Log Server
Nevertheless, to ensure seamless communication for the setup WatchGuard Log Server, open or exclude required ports on non-Windows Firewall systems where WatchGuard server is installed, enabling smooth connectivity.
In my case, I had a TrendMicro Anti-Virus agent running on my WatchGuard Log Server Reference:
Exclude these ports in your anti-virus solution
– log Server-TCP 4121
– Report Server-TCP 4122
To ensure a smooth operation of the setup WatchGuard Log Server, it’s essential to exclude the PostgreSQL database folder from your Anti-Virus scanner and Backup program’s target list.
Configure System Settings
More so, Ensure to disable hibernation on the VM (Computer) running the Log Server, in order for the log server not to shut down when the VM hibernates.
Click Start > Control Panel. Select Power Options.
However, to optimize your system to set up WatchGuard Log Server, begin by selecting the Hibernate tab and disabling hibernation. This step ensures smoother performance during the setup process.
Set the time correctly
Moreover, ensure both the Log server and the Watchguard XTM device has the same System time set
Start Firebox System Manager, select Tools and click Synchronize Time
Database Size Guidelines for Optimal Disk Utilization
Note: However, It is recommended that you set the database sizes for both the Log Server and Report Server that make the combined Maximum database size setting for both servers less than 50% of the total disk space available on the primary operating system partition or in the second partition 80%. This is to ensure they do not utilise more disk.
Part C: Configuring the log server
Note: Moreover, When the diagnostic logging for your machine is enabled, your Log Server database can fill up very fast. To mitigate against this, select to delete only the diagnostic log messages from your database.
Steps: In the Servers tree, click on the Log Server. Select the Server Settings and enter the maximum database size.
B) Configure Notification Settings
This ensures you get notification messages. This enables the Log Server to send messages in case of events specified failure on the XTm or Log Server or when the Log server deletes messages from the Db in order to reduce the size etc.
Note: You have to specify the email server to send messages from and after configuring it, you can send a test email to determine it the configuration is ok. Follow all the listed menu and configure them- they are straightforward.
C) Configure Database Maintenance Settings
However, You can specify to automatically backup copies of your log messages and specify the folder and also
You can also manually create a backup log file and as well restore a backup file to your database These are saved as Zip files and includes the dates in the file name.
Note: The oldest messages in the databases are purgured in order to to exceed the limit specified for the maximum database size.
The path to the backup directory must be specified as a UNC path with this format: fileserversharedirectory. The directory path cannot start with a drive letter. This is to make sure that the path is always accessible to the Log Server.
D) Configure Logging Settings for the Log Server
In the WatchGuard Server Center environment, you can view the status of all connected XTM devices in this environment, and also configure Windows Event Viewer and file path settings for your Log Server.
Steps: In the Servers tree, click on Log Serverand select the Logging tab. Here you can add and remove XTM devices, and configure Windows Event Viewer and the log file path and assign a level of error message from the drop-down box.
Part D. Configuring the Report Server
This is needed to periodically consolidate the data logs and generate reports. Note: It gets data from the Log server and creates a report of the network from it.
Steps: In the Servers tree, click on the Report Server and select the Server Settings.
In the Log Server Settings section, edit the Add Log Server(s) list.
– To add a Log Server to the list, click Add and enter the IP address and the passphrase.
– To change information for a Log Server, select a server from the list and click Edit.
Note, that you can decide to remove a particular log server. See the WatchGuard reference Manual.
Part E. XTM firebox configuration.
Note: You can configure Various XTM devices to send log messages to a single Log Server. The only limitation is disk space, RAM, and Processor.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.