I have setup a syslog alert, I enabled syslog at the access control policy and I enabled each rule for syslog but I am not getting any data at the syslog server. Is there somewhere else I need to go to get this to work?
I am using FMC VM 6.3 and ASA FirePowerSensors with latest software.
I don't have syslog option in platform settings. That might apply to FTD and I am using legacy FirePower services on ASA.
Syslog direct from the sensor is an FTD feature introduced in 6.3:
Previously, you configured event logging via syslog in multiple places, depending on the event type. In Version 6.3.0, you now configure syslog messaging in the access control policy. These configurations affect connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies, as well as for Security Intelligence.
For FTD devices, some syslog platform settings now apply to connection and intrusion event messages. For a list, see the "Platform Settings for Firepower Threat Defense" chapter in the Firepower Management Center Configuration Guide.
Otherwise the FMC will be the source of the syslog events. Can you share your FMC syslog settings?
After checking my syslog server again I am now seeing messages from both of my sensors and also the FMC. The messages are coming from the individual IPs of each device. I thought they would start immediately after the policy was pushed down but I guess maybe the takes some time before the devices start sending out data? Or maybe my syslog server (ManageEngine ELA) takes a while to show the data? Anyhow, looks good now.