FTD ACL Syslog messages

iwearing · ‎01-18-2018

Hi,

Versions FMC V6.2.2, FTD 2120 V8.2.2

I have configured Logging to a syslog server on my ACP Default action. The aim is to Log acl deny messages.

From the cli on the FTD 2120 device I can see hits on the acl.

However my Syslog Server does not receive them. They are visible via FMC event Logs.

Syslog has been defined in Policies - Actions - Alerts with Facility = Local4 and Severity = Warning.

My Syslog Server has also been configured in my Device Platform settings Policy.

I also enabled Syslog logging on another acl rule which has valid permit hit count. These do not appear in my Syslog server.

The syslog server is reachable via pings form my FTD device.

Any suggestions to resolve this issue would be appreciated.

thanks

Ian

mikael.lahtela · ‎01-19-2018

Hi,

Just to verify, you have configured "Alert" syslog server and activated it under the ACP rule?

Br, Micke

iwearing · ‎01-19-2018

Hi Micke,

Thanks for the response.

I have configured "alert" Syslog server and activated it in the ACP rule.

Regards

Ian

mikael.lahtela · ‎01-19-2018

Is the syslog port open from the FTD ip address to syslog server?
I checked in my home device that is a Firepower Services module and the syslog is sent from the device and not the FMC.

br, Micke

iwearing · ‎01-23-2018

Hi Micke,

I agree that syslog messages are sourced from the FTD Interface connected to the syslog server.

The syslog server is reachable from the inside interface and there are no other devices in the path that could block syslog on UDP Port 514.

regards

Ian

mikael.lahtela · ‎01-23-2018

You could try and take packet capture on the traffic to see that you send and recieve packets between FTD and syslog.
Is the syslog server getting messages from other systems?

br, Micke

iwearing · ‎01-23-2018

Hi Micke,

Syslog is receiving messages from other systems including 5585X ASA's with Firepower modules. They are managed by the same FMC at the FTD 2120 deices.

regards

Ian

mikael.lahtela · ‎01-23-2018

Must admit, this wasnt as clear as I thought.
I need to dig into some more documentation if nobody else know exact steps to configure this? :)

br, Micke

prashant dwivedi · ‎01-28-2018

Hey Mate,

Did you get solution for this ?

I have the same issue , I have enabled syslog logging on one of the ACPs ( action as block) as a part of prefilter policy. however cound't see logs coming to syslog server.

Thanks

mikael.lahtela · ‎01-29-2018

Hi,

Looks like I managed to activate the logging following this guide:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

But I need to do some more testing to see exactly what needs to be configured.

Looks like the FTD is configured with regular "ASA" logging commands, you can see them with the troubleshooting commands in the end of the document.

> system support diagnostic-cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

><Press Enter>
firepower# sh run logging
logging enable
logging console emergencies
logging buffered debugging
logging host inside 192.0.0.192
logging flash-minimum-free 1024
logging flash-maximum-allocation 3076
logging permit-hostdown

br, Micke

iwearing · ‎01-29-2018

Hi,

Unfortunately not resolved so far.

br

Ian

mikael.lahtela · ‎01-29-2018

Now when I try to remove the configuration it's still logging.
At the moment I have disabled the logging from device profile and still getting logs to the syslog server.
Guess they are sent now by the configuration settings under alert.

Edit: Ok, so it looks like I get things working by configuring the syslog server under actions/alerts and then adding the server in the rule.

The syslog message is sent from the FTD mgmt IP address.

You can check the IP with following commands:
>expert

~$ ip address

9: management0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 38:90:a5:3a:c2:80 brd ff:ff:ff:ff:ff:ff
inet 10.215.240.219/24 brd 10.215.240.255 scope global management0

br, Micke

prashant dwivedi · ‎01-29-2018

Thanks, did you configure SYSLOG Facility and Severity as "alert" and have applied this in a prefilter rule or at ACP ?

I need to apply this to the rule which is the part of pre-filter policy.

Can you please share the syslog output ( if this possible) i want to know if log messages contain rule name as well .

Thanks

mikael.lahtela · ‎01-30-2018

The configuration on Alert is LOCAL4 and Severity INFO.
Not seeing anything from the prefilter logging just ACP.

The ACP rule log includes this:
Jan 30 08:52:27 FPR2110-LAB-P SFIMS: Protocol: TCP
SrcIP: 172.16.0.101
OriginalClientIP: ::
DstIP: 136.243.5.166
SrcPort: 59143
DstPort: 443
TCPFlags: 0x0
IngressZone: LAN
EgressZone: INTERNET
DE: Primary Detection Engine (61cf9bfe-6c84-11e7-9bbc-b2da5b7afba6)
Policy: FPR2110-DEF-ACP
ConnectType: Start
AccessControlRuleName: internet-access
AccessControlRuleAction: Allow
Prefilter Policy: prefilter-test
UserName: No Authentication Required
Client: SSL client
ApplicationProtocol: HTTPS
InitiatorPackets: 3
ResponderPackets: 1
InitiatorBytes: 691
ResponderBytes: 66
NAPPolicy: Balanced Security and Connectivity
DNSResponseType: No Error
Sinkhole: Unknown
URLCategory: Web Advertisements
URLReputation: Well known
URL: https://dc546.s372.meetrics.net

br, Micke

prashant dwivedi · ‎01-31-2018

Thanks mate!