cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1647
Views
0
Helpful
2
Replies
Highlighted
Beginner

Firepower URL Logging to Syslog

Would appreciate if someone could give me a pointer.

I have a 5525X running Firepower (Protection, URL, Malware and Control licence). I have a basic Access Contol policy with a few URL's Categories defined and a seperate URL I defined for testing. I have a default policy underneath that calls a base Intrusion policy. The URL policy and Base Intrusion policy are set to Log to a syslog server.

I don't see URL's logged on the syslog although they do appear in the Management Centre. The IPS policies log to the syslog.

The Access Control policy does have the syslog defined and the box for 'log at the beginning of the connection' is checked. I went thought the config guide (v6.X) and picked out those items that referred to syslog. I'm not sure why the URL logging isn't working.

All I want to see is the URL's (IP and URL info) information on the syslog, currently syslog is set to facility: Local 1 and severity: info as requested by my Linux admin.

Note the device is in monitor mode only at present.

Regards

Darren

2 REPLIES 2
Highlighted
Contributor

Try making a rule at the very top of your access control policy with the action of "Monitor". 

Under the URL tab you add a single URL like "dummy.url". 

Remember to log to both event viewer and syslog. :) 

Highlighted
Beginner

Was there ever a solution found for this?

We are experiencing the same problem... basically only blocked traffic is being sent to our Syslog server, and our Defense Center logs roll fairly quickly so troubleshooting is nearly impossible.

Content for Community-Ad