Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6383
Views
1
Helpful
3
Replies

Forward FTD Connection Events to external syslog server

tiwang
Level 3
Level 3

‎06-16-2020 01:30 AM

hi out there

I have run into a problem which I expected was pretty simpel - and it is probably also - but I cannot figure out what I am doing wrong. We are running FMC/FTD ver. 6.6.0

I need to forward all connection events from the local FTD to a local - external - syslog server. 

In a specific platform settings policy for that device I have defined the syslog server 

In that section I have defined Logging destinations - defined the filter as "sessions" and forward them as "syslog:notifications"

Under the syslog tab facility is set to Local4 and there is a range of syslog-id's which are disabled by default - anyone know which is relevant to enable - and why there are some there disabled?

Well - under the Syslog servers tab I have defined my syslog server - reachable trough the management interface - using std UDP on port 514

Deployed this and was waiting for events to show up on my syslog server - grabbing the traffic with tcpdump - but noting is send to it? (but connection occur - this can I track on the FMC)

0 Helpful
3 Replies 3

harmesh88
Level 1
Level 1

‎06-16-2020 02:31 AM

Check all steps mentioned in this document https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html i hope it will help you
0 Helpful

tiwang
Level 3
Level 3
In response to harmesh88

‎06-16-2020 04:16 AM

well - I think I have been using that as starting point - I could have missed something but not that I know of. Besides of this I think they are missing a detail like that they need to define in the Access policy that defines to use the Machine Platform Settings policy for the syslog servers

br ti
0 Helpful

JohnLong3
Level 1
Level 1
In response to tiwang

‎06-17-2020 11:14 AM

Hello,

 

If you are wanting to send the Connection Events to an external syslog server, here are the steps to follow:

 

1) Create an alert under Policies > Actions > Alerts with the type of 'syslog'. Facility and Severity can be left at default.

2) Within the Access Control Policy, go to the Logging tab and select the syslog alert created in step 1 as the default alert. You can also choose to select the syslog server defined in the Platform Settings you referred to.

3) For each Access Control rule whose events you would like to send to syslog:

- edit the rule

- go to the Logging tab and select "Syslog Server" under the section that mentions where to send the Connection Events

 

After you deploy, the events should start being sent. Note that the events get sent from the management interface of the sensor itself (in this case the FTD), not from the FMC. Hope that helps.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card