Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2758
Views
0
Helpful
5
Replies

Basic syslog on FMC and sensor

ebng
Level 1
Level 1

‎10-04-2018 05:08 PM - edited ‎02-21-2020 08:19 AM

I'm trying to setup my FMC 1000 and FP 7030 sensor to send syslogs to an external server.  All I really want for now is anything that gets populated under System->Monitoring->Syslog.  I don't really care about intrusion alerts or things like that for now.  I tried following the steps under "Sending Health Alerts" from the link below, but that didn't seem to get me anything (and I believe may be just for the sensor anyway):

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html#anc5

 

Any help would be appreciated.

0 Helpful
5 Replies 5

babiojd01
Level 1
Level 1

‎10-05-2018 07:47 AM

What syslog data are you looking for? Why don't we start with what data you do want sent to syslog. Security Intelligence, SNORT alerts, Fireamp, or Audit data from FMC?

Security Intel is syslog sent from the FTD/FP device itself. Snort Alerts can come through syslog via impact alerts from FMC as well as Network Fireamp.

0 Helpful

ebng
Level 1
Level 1
In response to babiojd01

‎10-08-2018 07:58 AM

What I'd like to see is successful and failed logins, logouts, temperature warnings, crash info, things like that, for both my Firepower 7030 sensor and FMC 1000. 

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-06-2018 02:51 AM

To set up syslog for the FTD appliances go to Devices > Platform Settings > Syslog.

I have attached the configuration I use in my home lab FTD.  Keep in mind that the FTD sends a lot more messages than an ASA does, so you may need to rate limit the messages.  At a client had to rate limit to 4000 messages per second to get it to work properly. This is dependent on which syslog server you are using so check the specifications of your syslog server.

--
Please remember to select a correct answer and rate helpful posts
Preview file
423 KB
0 Helpful

ebng
Level 1
Level 1
In response to Marius Gunnerud

‎10-08-2018 08:15 AM

Hmmm...I'm seeing something different from my FMC.  See attached.  The first screenshot is from Devices->Platform Settings.  The second is after I click the pencil icon next to my policy.  I guess this is because I'm using a "legacy" sensor?

Preview file
87 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to ebng

‎10-15-2018 10:41 AM

Which version are you running?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card