Can Linux be used as a firewall M200 log server, if yes how?
Currently I have 2 separate installs of XTM330 and M200 where I would like to forward the logging to Linux as a log server. Is that something that could be done strait forward and if so, how please? Yes, I have plans to replace the XTM330 and purchase 4 more in the next few months. But I need to get a proof of concept in now.
Thank You,
David
Best Answers
-
james.carson
Moderator, WatchGuard Representative
The only log servers that we support are:
-WatchGuard Log/Report server, which runs on Windows.
-WatchGuard Dimension, which is a VMWare/HyperV virtual machine.You can find more about each here:
(Quick Start — Set Up Logging to a WSM Log Server)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/setup_logging_task_wsm.html(Get Started with WatchGuard Dimension)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/get-started_dimension_d.htmlSome customers have reported success converting a Dimension VMWare image over to Linux KVM (https://www.linux-kvm.org/) however, Dimension is only supported on supported versions of VMWare and HyperV. This means it'd likely work, but if it were to break, you'd be on your own.
Finally, the firewall does support sending log data via syslog, but you'll need to set up your own 3rd party server/service to handle the syslog data stream. You can find more about that here:
(Configure Syslog Server Settings)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/send_logs_to_syslog_c.html-James Carson
WatchGuard Customer Support6 -
james.carson
Moderator, WatchGuard Representative
In addition to the above, if you'd like to have a look at a running dimension system with logs running to it, you can do so at
https://demo.watchguard.com
user: demo
password: visibility-James Carson
WatchGuard Customer Support6
Answers
Hello James,
I am currently working on an intergration plaform to centralise the logs of our different clusters.
Can you please confirm if we can run a secondary Dimension server within another VM environnement ?
Not sure of your question.
Can you run Dimension on a VM platform which has other VMs running? Yes
Can you send log records concurrently from a single firewall to 2 different Dimension servers ? Yes.
Add a Dimension or WSM Log Server
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/ls_add_firebox_wsm.html
Hi @Leck0791_T
You can log to two WatchGuard server at once. You should see a log server 2 tab in your settings under Setup -> Logging. Just add the second dimension server there.
-James Carson
WatchGuard Customer Support
What about using External PostgreSQL DB? Logserver is unable to communicate with builtin DB, so i tried with External One, but it doesn't communicate with PostgreSQL DB neither, it gives messages likes PostgreSQL authentication method 10 not supported or PostgreSQL authentication method 8 not supported - depending on PostGRESQL Database version, i tried with version 9 and 17 - when i call psql.exe from WatchGuard/postgresql/bin to my External DB - i receive error messages like above - From Server Center itself, i also receive errors - I am trying to install a PostGreSQL 8.2.23 same versions as WSM, but it seems like an nightmare with outdated libraries and incompatibility issues. pgAdmin v4 connects fine with my external PosgreSQL DBs. External PostgreSQL is still an option?
Review this info for Dimension with an external database:
Configure the Database Location
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/dimension/database_configuration_d.html
WSM Log Server is no longer supported starting in V12.9 of WSM.
I don't recall ever seeing info on using an external database server with WSM Log Server & Report Server.
Bruce, i appreciate your reply, thank you.
Even 'thou WSM Log Server is no longer supported from V12.9 and beyond, it doesn't the feature it doesn't work. The feature is still referenced in WatchGuard documentation. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/logging/ls_configure_database-maintenance_tab_wsm.html i am aware of this feature being replaced by Dimension. I believe saw this feature being used in the past, but i didn't participate in the DB setup. I may be confusing with backup log files feature.
You can still install WSM Log Server etc. in the latest releases of WSM V12.11 - it is there.
You can try installing the Log Server on a Windows PC and see what the limited options are, which should answer your questions.
I see, the thing is, something on this given computer is malfunctioning regarding Logserver, the WSM and Logserver installs, but Logserver and bultin PostgreSQL doesn't connect, i don't know if it's third-party AV (ESET) - (i have tried disabling AV and reinstalling and adding WatchGuard folders as scan exceptions) or something else related to the computer, that's why i went to try using an external PostgreSQL DB. Based on your previous reply, this option to use External DB is something you have not came across, right? Well, i'll ask another Windows computer for the end-user. For the time being, this site's firewall doesn't have a valid live security license to work along Dimension.
Bruce, the issue with Logserver application not connecting with its bultin PostgreSQL database was that the server had another PostgreSQL running instance for Veeam Backup & Replication that was using same TCP 5432 port, once respective service was stopped and Logserver was reinstalled, communication with database went up.