Updates to logging....
Finally am seeing 414003 messages when I kill the path to one of my syslog servers...needed to upgrade to 7.4.
Still fighting with email notifications but have started logging at snmp-traps as a logging destination. Have found the following:
snmp-trap destination using Event Class and Specific Event class works just fine, not as granular as I would like, however whenever I try and attach a specific event-list to the snmp-trap destination the FTD fails to deploy every time. Error message shows it fails on the following command: logging history <event list name>. Doesn't seem to matter if the event list filters on either message ID's to event classes, fails every time.
Based on the above I removed the event class from my email destination and now I'm "kinda" getting events via email. Its sporadic so I'm trying to zero in on the magical combination that works. The problem is there are so many levels of syslog events/filtering to flag the proper logs
Logging Destination filters on Event classes or Event Lists ( I haven't seen any issues using event-lists when sending to an external syslog server)
Email Setup adds another Syslog Severity filter to any email addresses entered
and finally Syslog Setup adds the two options Enable All Syslog Messages (with a logging level) or Enable Individual Syslog Messages.
Still trying to fight my way through.
Right now my setup is as follows:
Logging Destinations:
Syslog Servers --> Use Event List (Works just fine)
SNMP Trap --> Filter on Severity: 2 - critical and Specific Event Class: sys:5 - notifications (Works)
E-Mail -->Filter on Severity: 2 - critical and Specific Event Class: sys:5 - notifications (trying to get this working reliably)
If the email wont work reliably I'll probably just build a Solarwinds alert off the received trap and generate an email that way
