Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3202
Views
10
Helpful
4
Replies

connection events not getting to syslog server

tato386
Level 6
Level 6

‎08-09-2019 02:28 PM - edited ‎02-21-2020 09:23 AM

I have setup a syslog alert, I enabled syslog at the access control policy and I enabled each rule for syslog but I am not getting any data at the syslog server.  Is there somewhere else I need to go to get this to work?

 

I am using FMC VM 6.3 and ASA FirePowerSensors with latest software.

 

Thanks,

Diego

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎08-09-2019 07:51 PM

Hi

Have you configured the syslog in your platform settings menu?
Here is a doc that can help you:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

tato386
Level 6
Level 6

‎08-10-2019 06:20 AM

I don't have syslog option in platform settings.  That might apply to FTD and I am using legacy FirePower services on ASA.

 

FirePower_Platform.JPG

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tato386

‎08-10-2019 09:02 PM - edited ‎08-10-2019 09:03 PM

Syslog direct from the sensor is an FTD feature introduced in 6.3:

Previously, you configured event logging via syslog in multiple places, depending on the event type. In Version 6.3.0, you now configure syslog messaging in the access control policy. These configurations affect connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies, as well as for Security Intelligence.

For FTD devices, some syslog platform settings now apply to connection and intrusion event messages. For a list, see the "Platform Settings for Firepower Threat Defense" chapter in the Firepower Management Center Configuration Guide.

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/new_features.html

Otherwise the FMC will be the source of the syslog events. Can you share your FMC syslog settings?

tato386
Level 6
Level 6
In response to Marvin Rhoads

‎08-11-2019 08:37 AM

After checking my syslog server again I am now seeing messages from both of my sensors and also the FMC.  The messages are coming from the individual IPs of each device.   I thought they would start immediately after the policy was pushed down but I guess maybe the takes some time before the devices start sending out data?  Or maybe my syslog server (ManageEngine ELA) takes a while to show the data?  Anyhow, looks good now.

 

Thanks all,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card