Solved: NGFW Local /var/log/message forwarding to remote syslog

RakeshLuhar56498 · ‎08-05-2020

I have Cisco NGFW deployed in Azure. Azure doesn't have FMC so we are managing in FTD mode. I am looking to see if there is way to forward local logs from /var/log folder to remote syslog server?

RakeshLuhar56498 · ‎10-14-2020

There was not way found to forward /var/log/messages but it seems NGFW was sending message using different interface.

View solution in original post

Mohammed al Baqari · ‎08-05-2020

Hi,

Azure has FMC VA from marketplace. Also, you can use on-prem FMC (physical
or virtual) as long as connectivity is established.

Configure syslogs from FDM is possible as below.

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-system.html

If you want to forward specific log messages, you can write a python script
to be triggered from FTD expert mode.

***** please remember to rate useful posts

RakeshLuhar56498 · ‎08-06-2020

As per documentation, I need to use debug level to get command executed by Admin or any config changes. Cisco doesn't recommend continuous debug level.
I see this is Linux OS. Is there a easy way to do syslog forwarding of /var/log files?

RakeshLuhar56498 · ‎10-14-2020

There was not way found to forward /var/log/messages but it seems NGFW was sending message using different interface.