WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 12: Setting Up Logging and NotificationLog file size and rollover frequencyYou can set the maximum size of the log file by number oflog entries or by time (such as daily, weekly, or monthly).When the log file reaches the maximum according to yoursettings, the log host creates a new file or overwrites theold file. Log rollover is the frequency at which log filesbegin overwriting.For example, suppose you have set your log file maximumto 100,000 entries. Operation of your Firebox begins on July21. By July 26, the log file has 100,000 entries. At this point,the log host starts writing July 27 log entries to a new fileand the other file becomes the old file.The ideal maximum log file size is highly individual: It willbe based on the storage space available, how many days oflog entries you want on hand at any time, and how long alog file is practical to keep, open, and view. How quickly afile hits its maximum size and is overwritten is also determinedby how many event types are logged and howmuch traffic the Firebox processes. For example, a smalloperation might not see 10,000 entries in two weeks,whereas a large one with many services enabled might easilylog 100,000 entries in a day.When considering your ideal maximum log file, considerhow often you plan to issue reports of the Firebox activity.WatchGuard Historical Reports uses a log file as its sourceto build reports. If you issue weekly reports to management,you would want a log file large enough to hold atypical eight or nine days’ worth of events. Watch your initiallog file configuration to see how many days’ events itcollects before turning over, and then adjust the size toyour reporting needs.Setting the interval for log rolloverYou can control when the WSEP application rolls overusing the Log Files tab in the WatchGuard Security EventProcessor. The WSEP application can be configured to roll212 WatchGuard Firebox System
Setting Global Logging and Notification Preferencesover by time interval, number of entries, or both. From theWatchGuard Security Event Processor interface:1 Click the Log Files tab.The Log Files tab information appears, as shown in the followingfigure.2 For a time interval, select the Roll Log Files By TimeInterval checkbox. Select the frequency. Use the NextLog Roll is Scheduled For drop-down list to select adate. Use the scroll control or enter the first time of day.3 For a record size, select the Roll Log Files By Numberof Entries checkbox. Use the scroll control or enter anumber of log record entries.The Approximate Size field changes to display the approximatefile size of the final log file. For a detailed description of eachcontrol, right-click it, and then select What’s This?. You can alsorefer to the “Field Definitions” chapter in the Reference Guide.4 Click OK.The WSEP interface closes and saves your entries. New settingstake effect immediately.Scheduling log reportsYou can use the WSEP application to schedule the automaticgeneration of network activity reports. For moreinformation, see “Scheduling a report” on page 245.User Guide 213
- Page 183 and 184: CHAPTER 10Creating Aliases andImple
- Page 185 and 186: Using AliasesGroupfireboxtrustedopt
- Page 187 and 188: How User Authentication WorksHow Us
- Page 189 and 190: Defining Firebox Users and Groups f
- Page 191 and 192: Defining Firebox Users and Groups f
- Page 193 and 194: Configuring RADIUS Server Authentic
- Page 195 and 196: Configuring CRYPTOCard Server Authe
- Page 197 and 198: Configuring SecurID AuthenticationC
- Page 199 and 200: CHAPTER 11Intrusion Detectionand Pr
- Page 201 and 202: Default Packet Handlingtion. In con
- Page 203 and 204: Default Packet Handlingnetwork. Alt
- Page 205 and 206: Detecting Man-in-the-Middle Attacks
- Page 207 and 208: Blocking Sites• Permanently block
- Page 209 and 210: Blocking SitesUsing an external lis
- Page 211 and 212: Blocking PortsBy default, the Fireb
- Page 213 and 214: Blocking PortsAvoiding problems wit
- Page 215 and 216: Integrating Intrusion Detectionand
- Page 217 and 218: Integrating Intrusion DetectionUsin
- Page 219 and 220: Integrating Intrusion Detectionposs
- Page 221 and 222: CHAPTER 12Setting Up Loggingand Not
- Page 223 and 224: Developing Logging and Notification
- Page 225 and 226: WatchGuard Logging Architecturehost
- Page 227 and 228: Designating Log Hosts for a Firebox
- Page 229 and 230: Setting up the WatchGuard Security
- Page 231 and 232: Setting up the WatchGuard Security
- Page 233: Setting Global Logging and Notifica
- Page 237 and 238: Customizing Logging and Notificatio
- Page 239 and 240: Customizing Logging and Notificatio
- Page 241 and 242: Customizing Logging and Notificatio
- Page 243 and 244: CHAPTER 13Reviewing andWorking with
- Page 245 and 246: Viewing Files with LogViewer2 Brows
- Page 247 and 248: Displaying and Hiding FieldsCopying
- Page 249 and 250: Displaying and Hiding Fieldsthen co
- Page 251 and 252: Working with Log Filescurrent log f
- Page 253 and 254: Working with Log Files5 Stop and re
- Page 255 and 256: Working with Log Filesappear until
- Page 257 and 258: CHAPTER 14Generating Reportsof Netw
- Page 259 and 260: Creating and Editing Reports2 Enter
- Page 261 and 262: Specifying Report Sections3 From th
- Page 263 and 264: Exporting ReportsSetting a Firebox
- Page 265 and 266: Using Report Filtersdrive:\WatchGua
- Page 267 and 268: Scheduling and Running ReportsDelet
- Page 269 and 270: Report Sections and Consolidated Se
- Page 271 and 272: Report Sections and Consolidated Se
- Page 273 and 274: Report Sections and Consolidated Se
- Page 275 and 276: CHAPTER 15 Controlling Web SiteAcce
- Page 277 and 278: Getting Started with WebBlockerYou
- Page 279 and 280: Configuring the WebBlocker Service3
- Page 281 and 282: Configuring the WebBlocker ServiceF
- Page 283 and 284: Configuring the WebBlocker ServiceF
Chapter 12: Setting Up Logging and NotificationLog file size and rollover frequencyYou can set the maximum size of the log file by number oflog entries or by time (such as daily, weekly, or monthly).When the log file reaches the maximum according to yoursettings, the log host creates a new file or overwrites theold file. Log rollover is the frequency at which log filesbegin overwriting.For example, suppose you have set your log file maximumto 100,000 entries. Operation of your <strong>Firebox</strong> begins on July21. By July 26, the log file has 100,000 entries. At this point,the log host starts writing July 27 log entries to a new fileand the other file becomes the old file.The ideal maximum log file size is highly individual: It willbe based on the storage space available, how many days oflog entries you want on hand at any time, and how long alog file is practical to keep, open, and view. How quickly afile hits its maximum size and is overwritten is also determinedby how many event types are logged and howmuch traffic the <strong>Firebox</strong> processes. For example, a smalloperation might not see 10,000 entries in two weeks,whereas a large one with many services enabled might easilylog 100,000 entries in a day.When considering your ideal maximum log file, considerhow often you plan to issue reports of the <strong>Firebox</strong> activity.<strong>WatchGuard</strong> Historical Reports uses a log file as its sourceto build reports. If you issue weekly reports to management,you would want a log file large enough to hold atypical eight or nine days’ worth of events. Watch your initiallog file configuration to see how many days’ events itcollects before turning over, and then adjust the size toyour reporting needs.Setting the interval for log rolloverYou can control when the WSEP application rolls overusing the Log Files tab in the <strong>WatchGuard</strong> Security EventProcessor. The WSEP application can be configured to roll212 <strong>WatchGuard</strong> <strong>Firebox</strong> <strong>System</strong>