Options
Syslog events - IPS, APP-ctrl
Hello everyone,
We are trying to configure the syslogs for watchguard firebox 12.8.2. We have enabled forwarding only Alarm events and system events on local 0 and local 1 respectively.
We could not find any IPS, App-ctrl events logged in to our syslog server, even though they are enabled in the policy.
We could also see in Firebox configuration file that column "Alarm" is disabled for all Firewall policies.
When we try to turn ON the Alarm for firewall policies, we could not see the checkbox for Alarm (Edit settings--> Advanced tab).
Please suggest on what is the issue.
0
Sign In to comment.
Comments
The easiest thing I can think to test this would be the EICAR text string -- that should generate an alert if you have this turned on.
Alarm generates an alarm log for the WatchGuard log/report or dimension servers -- syslog is handled as it's own thing.
You can also use the tcpdump facility in Firebox System Manager - using an advanced argument like "-i eth1 host 10.0.1.250 and port 514" (replace the IP address and interface with the ones that reflect where your syslog server is) you should be able to see if the firewall is sending the syslog traffic.
-James Carson
WatchGuard Customer Support