Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1687
Views
6
Helpful
5
Replies

Using TCP port of Syslog and FTD and local logging?

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎03-20-2023 08:24 AM - edited ‎03-20-2023 08:58 AM

Hi All,

Let's say the syslog server being used can use any port for syslog, is just using TCP 514 instead of default UDP 514 good practice?

Aside from current logging stopping and/or breaking, is just changing the setting potentially impacting anything else?


Also, are local logs still logged in the FTD even if logging to external server is in use? 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CiscoBrownBelt

‎03-21-2023 10:37 AM

@CiscoBrownBelt there is a default check box in the platform settings for syslog server that says "Allow users traffic to pass when TCP syslog server is down". If you uncheck that box and apply that platform settings with a tcp syslog server, new connections will be blocked it the configured syslog server is unavailable.

This is equivalent to the ASA command "no logging permit-hostdown".

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-20-2023 09:19 AM

Syslog messages can be very voluminous, especially on firewalls. For that reason we prefer udp, a connectionless protocol, as it does not require the tcp 3-way handshake and related overhead. Normally we only see tcp-based syslog in environments with very strict compliance requirements that mandate all connections be logged and, if logs are not verified, to block traffic.

External logging and local logging can co-exist if so configured.

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Marvin Rhoads

‎03-20-2023 10:13 AM

Yes that is correct, requirements are to use TCP.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎03-20-2023 10:09 AM

Also, are local logs still logged in the FTD even if logging to external server is in use?  local log depend on buffer size and I think if you config is as max size still it so small compare to external Syslog. 
TCP Syslog configuration on the ASA device - Cisco Community

 

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎03-20-2023 10:18 AM

Thanks. Per that link, does the Firepower FTD (FTD code) stop allowing new connections when the syslog becomes unavailable as well?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CiscoBrownBelt

‎03-21-2023 10:37 AM

@CiscoBrownBelt there is a default check box in the platform settings for syslog server that says "Allow users traffic to pass when TCP syslog server is down". If you uncheck that box and apply that platform settings with a tcp syslog server, new connections will be blocked it the configured syslog server is unavailable.

This is equivalent to the ASA command "no logging permit-hostdown".

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card