I manage a handful of WatchGuard Firebox Edge series firewalls at work. I’m generally pretty happy with them and have found that they do just what I need done.
Lately I’ve been wrestling with some provider issues and have been trying to get some better data on sporadic network outages. That caused me to look closer at the firewalls and their logs. The wrinkle is that I rarely have more than 30 minutes or so of logs in the buffer on the device. Fortunately, these things support sending the logs to an external Syslog server – and that’s what today’s challenge was.
What’s syslog? From Wikipedia:
Syslog is typically used for computer system management and security auditing. While it has a number of shortcomings, syslog is supported by a wide variety of devices and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.
Long story short: I want to send the log messages from all my firewalls to one central server. In this case, my server is a Linux machine running CentOS 5.2. It was already running the syslog service (pretty much a default for most (all?) distributions) but needed a few extra configuration steps to get this task accomplished.
As I’ll probably do this again in the future, what follows are the modifications I made to make this all work.
First I edited
/etc/syslog.conf and added a new line to the top:
Translated: the WatchGuard messages are “local.0” and I only want to log the types of “warning” and above.
In the same file, I also modified what gets sent to the messages log file as well by adding
local0.none to it. If I didn’t do that I’d get my watchguard messages in this file as well.
(I circled that second edit in the picture above)
Next I edited
/etc/sysconfig/syslog and added “-r” to the SYSLOGD_OPTIONS bit. The –r tells it to accept remote logs and is rather necessary to this endeavor’s success.
I’m not sure if I have this last piece correct or not, but based on what I read in this “Rotating Linux Log Files – Part 2” article I think I’ve got it right. The concern is that we don’t want the new watchguard.log file to grow too huge. Instead I want it periodically saved off and a few generations kept for research purposes. Since I’m using CentOS, I believe that means I need to make a small modification to the
/etc/logrotate.d/syslog file to tell it about my new log file.
So that’s just what I did. I added my bits to the front of the file and I guess I’ll know if that worked next time the weekly cron job runs
Once those changes were done I restarted the syslog service (
/etc/init.d/syslog restart) and observed my new watchguard.log file growing.
Oh, if you look close at the first line of the first screenshot you’ll see I added a bit more than what I initially wrote here. After running this for an hour I realized I was capturing too much so I changed it to get all types but then exclude the warning messages.
Fun trick: want to make sure your remote machines are actually sending log entries? Use tcpdump to watch the messages flow in (this is also a good way to check what type of messages are being sent and at what level).
tcpdump port 514 –vv