01-18-2018 06:39 AM - edited 02-21-2020 07:09 AM
Hi,
Versions FMC V6.2.2, FTD 2120 V8.2.2
I have configured Logging to a syslog server on my ACP Default action. The aim is to Log acl deny messages.
From the cli on the FTD 2120 device I can see hits on the acl.
However my Syslog Server does not receive them. They are visible via FMC event Logs.
Syslog has been defined in Policies - Actions - Alerts with Facility = Local4 and Severity = Warning.
My Syslog Server has also been configured in my Device Platform settings Policy.
I also enabled Syslog logging on another acl rule which has valid permit hit count. These do not appear in my Syslog server.
The syslog server is reachable via pings form my FTD device.
Any suggestions to resolve this issue would be appreciated.
thanks
Ian
01-19-2018 09:28 AM
Hi,
Just to verify, you have configured "Alert" syslog server and activated it under the ACP rule?
Br, Micke
01-19-2018 11:02 AM
01-19-2018 11:20 AM
01-23-2018 01:22 AM
Hi Micke,
I agree that syslog messages are sourced from the FTD Interface connected to the syslog server.
The syslog server is reachable from the inside interface and there are no other devices in the path that could block syslog on UDP Port 514.
regards
Ian
01-23-2018 01:29 AM
01-23-2018 01:35 AM
Hi Micke,
Syslog is receiving messages from other systems including 5585X ASA's with Firepower modules. They are managed by the same FMC at the FTD 2120 deices.
regards
Ian
01-23-2018 04:16 AM
01-28-2018 11:15 PM
Hey Mate,
Did you get solution for this ?
I have the same issue , I have enabled syslog logging on one of the ACPs ( action as block) as a part of prefilter policy. however cound't see logs coming to syslog server.
Thanks
01-29-2018 07:48 AM
01-29-2018 08:41 AM
Hi,
Unfortunately not resolved so far.
br
Ian
01-29-2018 09:13 AM - edited 01-29-2018 09:59 AM
Now when I try to remove the configuration it's still logging.
At the moment I have disabled the logging from device profile and still getting logs to the syslog server.
Guess they are sent now by the configuration settings under alert.
Edit: Ok, so it looks like I get things working by configuring the syslog server under actions/alerts and then adding the server in the rule.
The syslog message is sent from the FTD mgmt IP address.
You can check the IP with following commands:
>expert
~$ ip address
9: management0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 38:90:a5:3a:c2:80 brd ff:ff:ff:ff:ff:ff
inet 10.215.240.219/24 brd 10.215.240.255 scope global management0
br, Micke
01-29-2018 05:46 PM
Thanks, did you configure SYSLOG Facility and Severity as "alert" and have applied this in a prefilter rule or at ACP ?
I need to apply this to the rule which is the part of pre-filter policy.
Can you please share the syslog output ( if this possible) i want to know if log messages contain rule name as well .
Thanks
01-30-2018 12:58 AM
01-31-2018 12:30 AM
Thanks mate!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide