cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
563
Views
2
Helpful
8
Replies

FMC/FTD email alert when loss of TCP syslog connection not working

Chad Westog
Level 1
Level 1

Trying to setup an email alert when a FTD loses connectivity with a TCP based syslog server.  Setup is several FTD2100's managed by a FMC.  

Devices-->Platform Settings:

SMTP Server: mail-server-object

Syslog-->Logging Destinations: Email (Use Event List: syslog-status)

Syslog-->Logging Destinations: Syslog Servers: Filter on Severity: Warnings

Syslog-->Email Setup: Source Email: hub-ftd01.xxx.local; Destination: secmanager@xxx.local

Syslog-->Event Lists: syslog-status (414003,414005,414006)

Syslog-->Syslog Servers: Interface:Management; IP Address: 10.x.x.30 Protocol: TCP Port:20514

Syslog-->Syslog Servers: Interface:Management; IP Address: 10.x.x.31 Protocol: TCP Port:20514

 

Syslog works, I'm getting logs but when I kill/block the log connection I never get an email alert, in fact I never see any indication on the other log server that the primary connection was ever lost

 

Any thoughts

1 Accepted Solution

Accepted Solutions

Chad Westog
Level 1
Level 1

Such odd behavior...I can get a syslog and a snmp trap but I never see an email and all three are filtering on the same event classes and severities. Closing this out as I can get am email notification based on the snmp-trap that is triggered when tcp syslog connection is lost

View solution in original post

8 Replies 8

Maybe the FTD should be configured on your mail server as an allowed email relay?

email server is set to allow smtp from the FTD IP's

action-> alert 
did you add email as alert ?

MHM

 

yes, but that only appears to relate to specific items in the Impact Flag alerts or the Discovery Event Alerts

Eric R. Jones
Level 4
Level 4

We have a requirement that various folks need to be alerted when syslog fails. We recently changed our smtp settings so I had to go back fix and test. The FMC test works but I've not tested it by disabling the syslog functions. How did you do this, from within the FMC Devices > Platform settings > Syslog > "enable logging" check box and "enable logging on he failover standby unit"?

I simply blocked the syslog flow before it could reach the syslog server.  From the FMC/FTD perspective they were still active and sending logs...I can see the log flow fail which should trigger the FTD to alert:

414003

Error Message %FTD-3-414003: TCP Syslog Server intf : IP_Address /port not responding. New connections are [permitted|denied] based on logging permit-hostdown policy.

But  I never see this message

Chad Westog
Level 1
Level 1

Updates to logging....

Finally am seeing 414003 messages when I kill the path to one of my syslog servers...needed to upgrade to 7.4.  

Still fighting with email notifications but have started logging at snmp-traps as a logging destination.  Have found the following:

snmp-trap destination using Event Class and Specific Event class works just fine, not as granular as I would like, however whenever I try and attach a specific event-list to the snmp-trap destination the FTD fails to deploy every time.  Error message shows it fails on the following command: logging history <event list name>.  Doesn't seem to matter if the event list filters on either message ID's to event classes, fails every time.

Based on the above I removed the event class from my email destination and now I'm "kinda" getting events via email.  Its sporadic so I'm trying to zero in on the magical combination that works.  The problem is there are so many levels of syslog events/filtering to flag the proper logs

Logging Destination filters on Event classes or Event Lists ( I haven't seen any issues using event-lists when sending to an external syslog server)

Email Setup adds another Syslog Severity filter to any email addresses entered

and finally Syslog Setup adds the two options Enable All Syslog Messages (with a logging level) or Enable Individual Syslog Messages.

Still trying to fight my way through.

Right now my setup is as follows:

Logging Destinations:

Syslog Servers --> Use Event List (Works just fine)

SNMP Trap --> Filter on Severity: 2 - critical and Specific Event Class: sys:5 - notifications (Works)

E-Mail -->Filter on Severity: 2 - critical and Specific Event Class: sys:5 - notifications (trying to get this working reliably)

If the email wont work reliably I'll probably just build a Solarwinds alert off the received trap and generate an email that way

Chad Westog
Level 1
Level 1

Such odd behavior...I can get a syslog and a snmp trap but I never see an email and all three are filtering on the same event classes and severities. Closing this out as I can get am email notification based on the snmp-trap that is triggered when tcp syslog connection is lost

Review Cisco Networking for a $25 gift card