Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
740
Views
1
Helpful
7
Replies

Unable to see some syslog data traversing FMC managed FTDv firewall

Valkyrie3
Level 1
Level 1

‎02-22-2024 01:57 PM

I have some external systems which are sending data to a syslog server on UDP port 514 which is behind an FTDv(v6.6.7.1) which is managed by a Cisco FMC (v6.6.7.1), I have a rule in the ACP on the FTD to allow traffic from these external systems on port UDP 514 to the syslog server.

Of these external systems, some are working and the data is on the Syslog server but one group isn't so I want to see the syslog data traversing the firewall or being blocked however my problem is I can't see any of this data.  On the FMC, I go into Analysis, Events and then enter the search parameters in there but if I choose just UDP 514 as the destination port, I choose one of the external systems seeing syslog data as the initiator or I choose the syslog server as the destination I don't see the working syslog data.  There's logging enabled on the rules and I've not had issues finding data on the FMC before as it's proved useful for troubleshooting.

I have a security monitoring appliance which can see all the data going to the syslog server and it's of course seeing all the working syslog data.  However I noticed if I check the network record data rather than show the traffic as UDP port 514, it's showing the syslog data as flow records.

When I've been searching here I can find many results for issues getting FTDs to send syslog data but not this issue, I'm not sure if I'm missing something obvious or misunderstanding how this should be working and would appreciate any pointers.

0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎02-22-2024 02:21 PM - edited ‎02-22-2024 02:21 PM

waht kind of Data logs missing ?

have you configured platform setting on FMC with syslog server

and also on the each ACP there is logging config, you need to configure that to send logs too.

version 6.X  quite old try to upgrade to 7.X for good enhancement features

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Valkyrie3
Level 1
Level 1
In response to balaji.bandi

‎02-22-2024 03:25 PM

It's not syslog data from the FTDs (that is already working fine), it's syslog data coming from sites external to the firewall and traversing it to reach the syslog server.  Some of this data is definitely making it through the firewall but I can't find these successful connections so in turn, I don't know if the missing syslog data is because it's being blocked on this firewall or it's going wrong somewhere else.  

I'm aware of 6.x being old and I've been working on upgrading progressively but it takes time in a production environment dealing with deprecated features.

MHM Cisco World
VIP
VIP
In response to Valkyrie3

‎02-23-2024 12:30 AM

Just to clear issue here 

Site send syslog and it pass through ftd

Packet 1 pass 

Packet 2 is missing 

If that is case check if you use any QoS in FTD' QoS can silent drop (if you not config log) the packet

MHM

0 Helpful

Valkyrie3
Level 1
Level 1
In response to MHM Cisco World

‎02-23-2024 01:27 AM

The working syslog data is passing fine through the firewall but I can't see it in the connection logs.  I *think* the missing data isn't being dropped, it's just not hitting the firewall at all but I can't be sure when I can't see the working data.

0 Helpful

Valkyrie3
Level 1
Level 1
In response to MHM Cisco World

‎02-24-2024 08:04 AM

Sorry, I'm not really following - why would the system be showing syslog traffic (and other data) without needing to do a packet capture?

0 Helpful

MHM Cisco World
VIP
VIP
In response to Valkyrie3

‎02-24-2024 04:43 PM

Do packet capture in ingress interface

Check if traffic come into ftd or not

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card