topic Re: fmc syslog in Network Security

fmc syslog

shaikh.zaid22 — Tue, 03 Jan 2023 17:32:38 GMT

hi,

i have ftd with fmc running 7.0.1, i have configured the syslog server to send the remote vpn syslogs to a NAC for posture and compliance check. Now the logs are showing up in the NAC, but, in encrypted format not in cleartext.

Kind assistance is required, if anybody knows how to send syslogs in cleartext to external syslog server from fmc.

Re: fmc syslog

Mark Elsen — Tue, 03 Jan 2023 18:14:01 GMT

- Are you sure this is not related to the NAC handling of the logs ?

Re: fmc syslog

balaji.bandi — Tue, 03 Jan 2023 18:15:06 GMT

what NAC here ?

how is your syslog config TCP or UDP ?

Re: fmc syslog

shaikh.zaid22 — Tue, 03 Jan 2023 18:28:58 GMT

Hi marce and balaji,

Yes it is a forescout NAC, we are configuring for VPN events and then apply compliance policy. However, the logs are not readable. I was wondering whether it is the job of the forescout parser or fmc is sending syslogs in unreadable format.

Re: fmc syslog

shaikh.zaid22 — Tue, 03 Jan 2023 18:29:46 GMT

We are sending UDP 514 ports.

Re: fmc syslog

Marius Gunnerud — Wed, 04 Jan 2023 20:40:55 GMT

Syslog from the FMC should not be encrypted, Are you sure you are not using eStreamer?

Re: fmc syslog

balaji.bandi — Wed, 04 Jan 2023 21:24:16 GMT

personally, never seen this issue before until we missing something here?

Re: fmc syslog

shaikh.zaid22 — Thu, 05 Jan 2023 04:11:10 GMT

We have Forescout NAC, wherein we are capturing VPN logs, which is not showing in plaintext.

Re: fmc syslog

Marius Gunnerud — Thu, 05 Jan 2023 08:24:58 GMT

That is a bit odd, you should be seeing the permit / deny logs received on the "inside" interfaces. Do you have sysopt connection permit-vpn enabled? If you have this enabled you could try disabling it, but then be aware that you need to configure access rules on the outside interface for the VPN traffic, and then enable syslog for those rules.