Enable logging by message ID?
Firebox T70 v12.4.1.B595401
Sending firewall logs to external application. Firewall logs being sent are with log ID 3000-0148 for packet filter, but do not include bytes sent and received for the session. According to the log catalog, log ID 3000-0151 includes these fields though I do not see a way to turn on logging for this ID. Is there a way to enable which logs are forwarded to a destination based upon log ID?
Things we have tried/looked into:
- Looked into the following on management server: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/enable_notification_messages_wsm.html - it does provide us the ability to select messages by ID, though the desired ID 3000-0151 is not present, nor are the log IDs of the logs which are actually being sent, e.g., 3000-0148, 2CFF-0000.
- We do get bytes sent and received from the various proxy logs (e.g., http(s), ftp, dns, etc.) though we need this for basic firewall policies, too, to cover all bases outside of these services.
In short, log ID 3000-0151 exists, how can we enable it so it is included in the feed we forward to an external application?
Comments
3000-0151 looks like a log for a terminated connection -- which will only appear at the log level INFORMATION in the firewall category. (Error is the default.
You'll need to click the diagnostic log level button in Setup -> logging or go to system -> diagnostic log to change that.
If the firewall is generating logs like this for every connection that closes, I would expect this to slow the firewall down due to excessive logging. I would suggest using bandwidth monitoring in WatchGuard Dimension or via SNMP rather than trying to get it out via mass syslog.
-James Carson
WatchGuard Customer Support
@James_Carson
James: Note that 3000-0148 is also listed as INFO, yet it is displayed in Traffic Monitor even though all Diagnostic Log levels are set to Error.
Setting Diagnostic Log level for Firewall does not cause 3000-0151 to be generated for me