Unable to see some syslog data traversing FMC managed FTDv firewall

Valkyrie3 · ‎02-22-2024

I have some external systems which are sending data to a syslog server on UDP port 514 which is behind an FTDv(v6.6.7.1) which is managed by a Cisco FMC (v6.6.7.1), I have a rule in the ACP on the FTD to allow traffic from these external systems on port UDP 514 to the syslog server.

Of these external systems, some are working and the data is on the Syslog server but one group isn't so I want to see the syslog data traversing the firewall or being blocked however my problem is I can't see any of this data. On the FMC, I go into Analysis, Events and then enter the search parameters in there but if I choose just UDP 514 as the destination port, I choose one of the external systems seeing syslog data as the initiator or I choose the syslog server as the destination I don't see the working syslog data. There's logging enabled on the rules and I've not had issues finding data on the FMC before as it's proved useful for troubleshooting.

I have a security monitoring appliance which can see all the data going to the syslog server and it's of course seeing all the working syslog data. However I noticed if I check the network record data rather than show the traffic as UDP port 514, it's showing the syslog data as flow records.

When I've been searching here I can find many results for issues getting FTDs to send syslog data but not this issue, I'm not sure if I'm missing something obvious or misunderstanding how this should be working and would appreciate any pointers.

balaji.bandi · ‎02-22-2024

waht kind of Data logs missing ?

have you configured platform setting on FMC with syslog server

and also on the each ACP there is logging config, you need to configure that to send logs too.

version 6.X quite old try to upgrade to 7.X for good enhancement features

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Valkyrie3 · ‎02-22-2024

It's not syslog data from the FTDs (that is already working fine), it's syslog data coming from sites external to the firewall and traversing it to reach the syslog server. Some of this data is definitely making it through the firewall but I can't find these successful connections so in turn, I don't know if the missing syslog data is because it's being blocked on this firewall or it's going wrong somewhere else.

I'm aware of 6.x being old and I've been working on upgrading progressively but it takes time in a production environment dealing with deprecated features.

MHM Cisco World · ‎02-23-2024

Just to clear issue here

Site send syslog and it pass through ftd

Packet 1 pass

Packet 2 is missing

If that is case check if you use any QoS in FTD' QoS can silent drop (if you not config log) the packet

MHM

Valkyrie3 · ‎02-23-2024

The working syslog data is passing fine through the firewall but I can't see it in the connection logs. I *think* the missing data isn't being dropped, it's just not hitting the firewall at all but I can't be sure when I can't see the working data.

MHM Cisco World · ‎02-23-2024

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

This link to capture traffic in ftd by fmc

Check it

MHM

Valkyrie3 · ‎02-24-2024

Sorry, I'm not really following - why would the system be showing syslog traffic (and other data) without needing to do a packet capture?

MHM Cisco World · ‎02-24-2024

Do packet capture in ingress interface

Check if traffic come into ftd or not

MHM