cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4755
Views
1
Helpful
3
Replies

Forward FTD Connection Events to external syslog server

tiwang
Level 3
Level 3

hi out there

I have run into a problem which I expected was pretty simpel - and it is probably also - but I cannot figure out what I am doing wrong. We are running FMC/FTD ver. 6.6.0

I need to forward all connection events from the local FTD to a local - external - syslog server. 

In a specific platform settings policy for that device I have defined the syslog server 

In that section I have defined Logging destinations - defined the filter as "sessions" and forward them as "syslog:notifications"

Under the syslog tab facility is set to Local4 and there is a range of syslog-id's which are disabled by default - anyone know which is relevant to enable - and why there are some there disabled?

Well - under the Syslog servers tab I have defined my syslog server - reachable trough the management interface - using std UDP on port 514

Deployed this and was waiting for events to show up on my syslog server - grabbing the traffic with tcpdump - but noting is send to it? (but connection occur - this can I track on the FMC)

3 Replies 3

harmesh88
Level 1
Level 1

well - I think I have been using that as starting point - I could have missed something but not that I know of. Besides of this I think they are missing a detail like that they need to define in the Access policy that defines to use the Machine Platform Settings policy for the syslog servers

br ti

Hello,

 

If you are wanting to send the Connection Events to an external syslog server, here are the steps to follow:

 

1) Create an alert under Policies > Actions > Alerts with the type of 'syslog'. Facility and Severity can be left at default.

2) Within the Access Control Policy, go to the Logging tab and select the syslog alert created in step 1 as the default alert. You can also choose to select the syslog server defined in the Platform Settings you referred to.

3) For each Access Control rule whose events you would like to send to syslog:

- edit the rule

- go to the Logging tab and select "Syslog Server" under the section that mentions where to send the Connection Events

 

After you deploy, the events should start being sent. Note that the events get sent from the management interface of the sensor itself (in this case the FTD), not from the FMC. Hope that helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: