Sending WatchGuard logs to Syslog

03 Mar 2009
March 3, 2009

I manage a handful of WatchGuard Firebox Edge series firewalls at work. I’m generally pretty happy with them and have found that they do just what I need done.

Lately I’ve been wrestling with some provider issues and have been trying to get some better data on sporadic network outages. That caused me to look closer at the firewalls and their logs. The wrinkle is that I rarely have more than 30 minutes or so of logs in the buffer on the device. Fortunately, these things support sending the logs to an external Syslog server – and that’s what today’s challenge was.

What’s syslog? From Wikipedia:

syslog is a standard for forwarding log messages in an IP network. The term “syslog” is often used for both the actual syslog protocol, as well as the application or library sending syslog messages .

[…]

Syslog is typically used for computer system management and security auditing. While it has a number of shortcomings, syslog is supported by a wide variety of devices and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.

Long story short: I want to send the log messages from all my firewalls to one central server. In this case, my server is a Linux machine running CentOS 5.2. It was already running the syslog service (pretty much a default for most (all?) distributions) but needed a few extra configuration steps to get this task accomplished.

As I’ll probably do this again in the future, what follows are the modifications I made to make this all work.

First I edited /etc/syslog.conf and added a new line to the top:

local0.warning        /var/log/watchguard.log

Translated: the WatchGuard messages are “local.0” and I only want to log the types of “warning” and above.

In the same file, I also modified what gets sent to the messages log file as well by adding local0.none to it. If I didn’t do that I’d get my watchguard messages in this file as well.

My syslog.conf

(I circled that second edit in the picture above)

Next I edited /etc/sysconfig/syslog and added “-r” to the SYSLOGD_OPTIONS bit. The –r tells it to accept remote logs and is rather necessary to this endeavor’s success.

the sysconfig/syslog change

I’m not sure if I have this last piece correct or not, but based on what I read in this “Rotating Linux Log Files – Part 2” article I think I’ve got it right. The concern is that we don’t want the new watchguard.log file to grow too huge. Instead I want it periodically saved off and a few generations kept for research purposes. Since I’m using CentOS, I believe that means I need to make a small modification to the /etc/logrotate.d/syslog file to tell it about my new log file.

So that’s just what I did. I added my bits to the front of the file and I guess I’ll know if that worked next time the weekly cron job runs :-)

the logrotate.d/syslog change

Once those changes were done I restarted the syslog service (/etc/init.d/syslog restart) and observed my new watchguard.log file growing.

Oh, if you look close at the first line of the first screenshot you’ll see I added a bit more than what I initially wrote here. After running this for an hour I realized I was capturing too much so I changed it to get all types but then exclude the warning messages.

Fun trick: want to make sure your remote machines are actually sending log entries? Use tcpdump to watch the messages flow in (this is also a good way to check what type of messages are being sent and at what level).

tcpdump port 514 –vv

image

Tags: , , , ,
3 replies
  1. Vox says:

    My refresh key was getting tired :P

    But nicely done, I like both the solution and the post :) Now I have somewhere to find it when I forget about it all next time, which happens every time I need to do this lol!

    Reply
    • Chris says:

      Hey Vox – Thanks for your help yesterday in getting me pointed down the right road :-)

      Sorry it took so long to actually sit down and write it up.

      Reply
  2. Luke says:

    Thank you very much for the write up, it really helped me alot since I was doing the exact same thing with a Centos box and a watchguard product!

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>