Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
5
Helpful
4
Replies

Syslogs for Allow and Denies on FMC and FTD

Go to solution
jmeetze
Level 1
Level 1

‎02-07-2023 11:45 AM

We have setup Syslog to remote Syslog servers under our Device Platform Settings.  For some reason, we are not able to see logs on our syslog server that shows information like "TCP connection Allowed from Src_IP to Dest_IP on Access-Control Policy "Sample Policy" Rule: "Test Rule".  

I can see logs for all of our pre-filter rules, but it seems like I do not see any logs for our rules in our Access-Control Policy.  I have verified that the checkbox is checked under each rule to "Send to Syslog".  Does anyone know what Syslog ID's to enable to get these logs?  I've gone through the list of Syslog ID's on Cisco's site, but it's quite the effort to go through that list.   On ASA it seemed we got these logs by simply turning on Syslog.  

Here's  a screenshot of my configuration:  

jmeetze_0-1675798649107.png

jmeetze_1-1675798696323.png

jmeetze_2-1675798724544.png

Should I not be able to see Allow/Deny logs with source/destination IP, and Access-Control Rule Name?

 

Thanks in advance.

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
jmeetze
Level 1
Level 1
In response to MHM Cisco World

‎02-07-2023 01:20 PM

I'm only using prefilter for traffic I do not wish to inspect so the action on those rules is all FastPath.  I do have logging enabled though for each rule and it's configured the same as my ACP rules which is Log to Syslog server.  

I may actually be seeing some logs now, but they just contain way more information that I'm used to.  We migrated from ASA to FTD and in ASA it was a pretty simple log showing your source ip, dest ip, src port, dest port, action, and rule name.  I guess with FTD's it will now show like the one below:

jmeetze_0-1675804763968.png

If that's the case, then it looks as if I am now seeing logs correctly.  I guess the new format threw me off a bit. 

Thanks!

View solution in original post

0 Helpful
4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-07-2023 12:32 PM

have you enabled logging in ACP rule :

balajibandi_0-1675801934632.png

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jmeetze
Level 1
Level 1

‎02-07-2023 12:35 PM

Yes, I have enabled logging on all rules with the option checked to Send to Syslog Server.  

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎02-07-2023 12:55 PM

prefilter what action you choose here ??

0 Helpful

Go to solution
jmeetze
Level 1
Level 1
In response to MHM Cisco World

‎02-07-2023 01:20 PM

I'm only using prefilter for traffic I do not wish to inspect so the action on those rules is all FastPath.  I do have logging enabled though for each rule and it's configured the same as my ACP rules which is Log to Syslog server.  

I may actually be seeing some logs now, but they just contain way more information that I'm used to.  We migrated from ASA to FTD and in ASA it was a pretty simple log showing your source ip, dest ip, src port, dest port, action, and rule name.  I guess with FTD's it will now show like the one below:

jmeetze_0-1675804763968.png

If that's the case, then it looks as if I am now seeing logs correctly.  I guess the new format threw me off a bit. 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card