cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4914
Views
5
Helpful
8
Replies

SourceFire - External Syslog logging

True Warrior
Level 1
Level 1

Hello All,

 

Currently we have a customer who has SourceFire v4.10 and would like to configure the SourceFire devices to send syslog alerts to a syslog server. I have checked the Advanced Settings of the IPS Policy and there is no option to define if the syslog alerting should be done via TCP or UDP. Do you know if TCP syslog logging is supported by SourceFire devices. 

8 Replies 8

SourceFire is able to log using TCP.  You are however using a very old version of Firepower so I am not certain what is supported on that version.

However, in FMC you need to go to Devices > Platform Settings and create a platform settings policy.  In platform settings policy go to syslog and there under the Syslog Servers tab you can add an external syslog server and choose to use either TCP or UDP.

 

FYI: For us the FTD sends quite a bit of extra logs, so we had to rate limit the logs for the syslog server to start receiving the logs.

--
Please remember to select a correct answer and rate helpful posts

Hi,

 

I already have a System Policy under Platform Settings and under Audit Log, there isn't an option either to select UDP or TCP, the system by default uses UDP/514.

 

Also I was looking for syslog logging via TCP for the intrusion policy but the Audit Log under Platform Settings is going to send the audit logs of the Operating System.

 

I have created a syslog alert in intrusion policy but there is no where in the system (FMC or managed device) to pick TCP or UDP logging as the default syslog logging of UDP/514 is used.

logging1.pnglogging2.png

--
Please remember to select a correct answer and rate helpful posts

Thanks for this, but these aren't FTD devices, they are just FirePower 7000 and 8000 series devices. Can a FTD System Policy still work for just FirePower devices?

Yes this will work also for FirePower.  When creating the policy you click New Policy and then select Firepower Settings for FirePower,  For FTD you would select Threat Defense Settings.

--
Please remember to select a correct answer and rate helpful posts

Hi,

 

I guess this is what my issue is, creating a FirePower Settings policy doesn't provide the syslog logging for TCP, please check the attached screenshot that I created for one of the FirePower Settings and under audit log settings, I don't have the option to select TCP or UDP so I would assume that its available only for FTD image and not for FirePower only image.

Have you considered upgrading your FirePower software? You are running a very old version and that might be the reason you are not seeing the syslog option in the platform settings policy.

--
Please remember to select a correct answer and rate helpful posts

The screenshot that I provided is from v6.2.2 but the question was posted for v4. I don't think this option doesn't exists for FirePower but only for FTD.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: