Firebox no longer sending logs

XTM33 (12.1.3, in process of retiring) all of a sudden stopped sending logs to my Dimension server. Dimension is online and accessible . Dimension server restarted. Firewall restarted. Logging disable and re-enabled on firewall. The XTM is still not sending logs to Dimension.

No configuration changes were made on the firebox when this happened.

I was applying windows updates on the Dimension server around this time. But the timing is not exact.

Any suggestions?

Comments

  • You can turn on "Enable logging for packets sent from this device" to verify packets are being sent to the Dimension server.
    If so, then you need to look downstream - most likely the Windows server.

    You can also run TCP Dump to do packet captures on your firewall.
    With the Advanced options, you can select the IP addr to capture.

    Web UI: Run Diagnostic Tasks on Your Firebox
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/system_status/stats_diagnostics_tasks_web.html

    FSM: Run Diagnostic Tasks to Learn More About Log Messages
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/fsm/log_message_learn_more_wsm.html

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @JoshuaThompson
    Does the XTM33 have a current support license?
    Dimension 2.0 and better require the LiveSecurity line of the feature key to be current (have support) in order to log. It gives you a grace period, but will eventually stop logging if it's expired.

    If that's the case and you're in the process of getting a trade up, etc, reach out to your reseller (or if you're doing it directly, reach out to our customer care team) and request a temporary key to keep it running.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    I searched for your name in our ticket system -- If it's for your XTM33 with a serial number ending in 2D56, the feature key expired about a month ago -- that's likely it. If you open a customer care case under your new device that you're migrating to asking for a temporary key for that XTM33, they should be able to get one to you so it'll pick up logging again.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson that must exactly be the problem The live security subscription expired a little more than 30 days ago. We are in the process of replacing this device now. I spoke with support and they mentioned that only the subscription services would be impacted by an expiring subscription and did not mention that I would also lose the ability for logging to Dimension.

    Thanks for your help.

  • Thank you @James_Carson . That was the issue.

Sign In to comment.