cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2152
Views
10
Helpful
4
Replies

connection events not getting to syslog server

tato386
Level 6
Level 6

I have setup a syslog alert, I enabled syslog at the access control policy and I enabled each rule for syslog but I am not getting any data at the syslog server.  Is there somewhere else I need to go to get this to work?

 

I am using FMC VM 6.3 and ASA FirePowerSensors with latest software.

 

Thanks,

Diego

4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Have you configured the syslog in your platform settings menu?
Here is a doc that can help you:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

tato386
Level 6
Level 6

I don't have syslog option in platform settings.  That might apply to FTD and I am using legacy FirePower services on ASA.

 

FirePower_Platform.JPG

Syslog direct from the sensor is an FTD feature introduced in 6.3:

Previously, you configured event logging via syslog in multiple places, depending on the event type. In Version 6.3.0, you now configure syslog messaging in the access control policy. These configurations affect connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies, as well as for Security Intelligence.

For FTD devices, some syslog platform settings now apply to connection and intrusion event messages. For a list, see the "Platform Settings for Firepower Threat Defense" chapter in the Firepower Management Center Configuration Guide.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html

Otherwise the FMC will be the source of the syslog events. Can you share your FMC syslog settings?

After checking my syslog server again I am now seeing messages from both of my sensors and also the FMC.  The messages are coming from the individual IPs of each device.   I thought they would start immediately after the policy was pushed down but I guess maybe the takes some time before the devices start sending out data?  Or maybe my syslog server (ManageEngine ELA) takes a while to show the data?  Anyhow, looks good now.

 

Thanks all,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: