12-15-2017 02:24 AM - edited 02-21-2020 06:57 AM
Hello All,
Currently we have a customer who has SourceFire v4.10 and would like to configure the SourceFire devices to send syslog alerts to a syslog server. I have checked the Advanced Settings of the IPS Policy and there is no option to define if the syslog alerting should be done via TCP or UDP. Do you know if TCP syslog logging is supported by SourceFire devices.
12-28-2017 12:24 PM
SourceFire is able to log using TCP. You are however using a very old version of Firepower so I am not certain what is supported on that version.
However, in FMC you need to go to Devices > Platform Settings and create a platform settings policy. In platform settings policy go to syslog and there under the Syslog Servers tab you can add an external syslog server and choose to use either TCP or UDP.
FYI: For us the FTD sends quite a bit of extra logs, so we had to rate limit the logs for the syslog server to start receiving the logs.
01-01-2018 03:14 AM
Hi,
I already have a System Policy under Platform Settings and under Audit Log, there isn't an option either to select UDP or TCP, the system by default uses UDP/514.
Also I was looking for syslog logging via TCP for the intrusion policy but the Audit Log under Platform Settings is going to send the audit logs of the Operating System.
I have created a syslog alert in intrusion policy but there is no where in the system (FMC or managed device) to pick TCP or UDP logging as the default syslog logging of UDP/514 is used.
01-01-2018 04:02 AM
01-01-2018 04:35 AM
01-01-2018 04:53 AM
Yes this will work also for FirePower. When creating the policy you click New Policy and then select Firepower Settings for FirePower, For FTD you would select Threat Defense Settings.
01-01-2018 04:59 AM
Hi,
I guess this is what my issue is, creating a FirePower Settings policy doesn't provide the syslog logging for TCP, please check the attached screenshot that I created for one of the FirePower Settings and under audit log settings, I don't have the option to select TCP or UDP so I would assume that its available only for FTD image and not for FirePower only image.
01-01-2018 05:15 AM
Have you considered upgrading your FirePower software? You are running a very old version and that might be the reason you are not seeing the syslog option in the platform settings policy.
01-01-2018 05:59 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide