Solved: Re: IPS Create Syslog Alert but it appears Not Used

Tang-Suan Tan · ‎07-21-2020

Hi all, Today I create Syslog alert in IPS Firepower Managment Center and save. After save it appears Not Used. May I know how to make it In Use. The IP address of the Syslog server is a valid server. May I have your answer as soon as possible. Thanks! best regards, tangsuan

Marvin Rhoads · ‎07-21-2020

Can you show us your access control policy where you have specified the new syslog setting to be used? Unless you have such a policy setting, the setting will continue to show as "not used".

View solution in original post

balaji.bandi · ‎07-21-2020

Can you post the screenshot how you confgured :

or refer below document :

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/external_alerting_for_intrusion_events.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tang-Suan Tan · ‎07-21-2020

Hi Balji, I followed the step by Cisco document: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/external_alerting_with_alert_responses.html#ID-2197-00000005 at the portion of Creating a Syslog Alert Response. I refer to your link URL, I cannot find the below step: Step 1 In the intrusion policy editor's navigation pane, click Advanced Settings. The problem is where is "intrusion policy editor's navigation pane". I can't even start. Please advise. Thanks and regards, tangsuan

Tang-Suan Tan · ‎07-21-2020

Hi Balaji and all,

I created the Syslog setting and the it was saved successfully. Attach is the picture for two Syslog. One of them is

"In Use" and another newly created one is "Not Used"

May I know how to make the Not Used one to In Use?

thanks and hope to hear from you soon.

regards,

tangsuan

Marvin Rhoads · ‎07-21-2020

Can you show us your access control policy where you have specified the new syslog setting to be used? Unless you have such a policy setting, the setting will continue to show as "not used".

Tang-Suan Tan · ‎07-22-2020

Hi Mervin,

Thanks to your suggestion. I find the access control policy and in the logging tab, I added in the new Syslog setting and now it becomes In Use.

Thanks to your solution to resolve my problem.

One more question now it is In Use. What is the effective way to show that the Syslog server actually got the logs from this IPS or FMC. Is the Tag at the Syslog setting can indicate some clue on the result?

Thanks!

regrads,

tangsuan

Marvin Rhoads · ‎07-22-2020

Syslog messages are normally sent via UDP so there's not guaranteed delivery. But if you see them coming into your syslog server at a regular rate then you can infer that you are getting them as they are sent.

balaji.bandi · ‎07-22-2020

You have to use in the Policy for the syslog you have created, ACP you have Logging option tab to look.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help