You can also use the Connection-< Events tab in FMC. I agree it's not as good as the real time log but it can be very helpful

Thanks for your helpful answer, so we are waiting for the future.

thanks all

Any update on this?  

What about AnyConnect VPN Support coming to FTD?

Nothing on the log viewer.

Remote access SSL VPN (for AnyConnect clients) will be introduced in FirePOWER 6.2.1 for FTD on the FirePOWER 2100 at that product's FCS date (First Customer Ship - sheduled for 22 May last I heard). The remaining FTD platforms will get it in a subsequent release shortly thereafter.

Thanks

My understanding is that when you have a syslog (or SNMP trap) action as part of a policy that has been deployed to a sensor (FTD or FirePOWER) that the syslog events and SNMP traps originate from the sensor itself.

See Oliver's response here confirming that behavior:

https://supportforums.cisco.com/discussion/13251571/firepower-rule-connection-logging-syslog-question

The FMC will not necessarily show everything that's going on at the sensor - only events that are configured to create event logs will be sent up to FMC.

FX-OS chassis level logs are certainly useful but only if you have somebody actually watching them or atl least checking them periodically. Few things are less useful than a log entry that nobody sees.

Regarding backups, see the configuration guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/backup_and_restore.html

It notes:

You cannot create or restore backup files for NGIPSv, Firepower Threat Defense physical or virtual managed devices orASA FirePOWER modules. To back up event data, perform a backup of the managing Firepower Management Center.

...which confirms what you are seeing.

Hello Marvin,

Need your help /input please.

On FTDs, we are logging traffic and sending to the external syslog server. we want to see some historical data ( logs ) to troubleshoot any issues.

We noticed FMC is only logging the traffic for last 24 hours, I have increased the database size and hopefully this will increase the data capacity.

Another issue is  with sending traffic tot he external syslog server, I want to enable SYSLOG ID - 106100 with logging level as "informaitonal" , idea behind this is to get a log whenever there is any deined traffic at access control policy. however, I am getting error while pushing the policy once have 106100 enabled.  Please advise how we could do this in FTD?  I have tried using Flexconfig however found the same issue.

in suammry - we want to have logs at Syslog server , need to know if a traffic is being denied by ACEs , need to the rule that is dropping the traffic.

Thanks

I find it strange that cisco is not working on sort of viewer like we had on the ASA for the FTD, and for the FMC. 

someone from cisco needs to respond to this thread.

Im with you, This is unacceptable. 

I'll bring this up to my local reps and see what the response is.

Any updates on this?

You can use the capture command on the CLI of the device same as the ASA.

Example

Capture in interface inside match ip 192.168.1.0 255.255.255.0 any

The use the show capture command to see.

Hi Marvin what is the best way to view just blocked events or logs? I don't see a parameter under Analysis>Events tab or way under Syslog when viewing on FMC