Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
6
Helpful
5
Replies

Using TCP port of Syslog and FTD and local logging?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎03-20-2023 08:24 AM - edited ‎03-20-2023 08:58 AM

Hi All,

Let's say the syslog server being used can use any port for syslog, is just using TCP 514 instead of default UDP 514 good practice?

Aside from current logging stopping and/or breaking, is just changing the setting potentially impacting anything else?


Also, are local logs still logged in the FTD even if logging to external server is in use? 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎03-21-2023 10:37 AM

@CiscoPurpleBelt there is a default check box in the platform settings for syslog server that says "Allow users traffic to pass when TCP syslog server is down". If you uncheck that box and apply that platform settings with a tcp syslog server, new connections will be blocked it the configured syslog server is unavailable.

This is equivalent to the ASA command "no logging permit-hostdown".

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-20-2023 09:19 AM

Syslog messages can be very voluminous, especially on firewalls. For that reason we prefer udp, a connectionless protocol, as it does not require the tcp 3-way handshake and related overhead. Normally we only see tcp-based syslog in environments with very strict compliance requirements that mandate all connections be logged and, if logs are not verified, to block traffic.

External logging and local logging can co-exist if so configured.

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Marvin Rhoads

‎03-20-2023 10:13 AM

Yes that is correct, requirements are to use TCP.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎03-20-2023 10:09 AM

Also, are local logs still logged in the FTD even if logging to external server is in use?  local log depend on buffer size and I think if you config is as max size still it so small compare to external Syslog. 
TCP Syslog configuration on the ASA device - Cisco Community

 

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to MHM Cisco World

‎03-20-2023 10:18 AM

Thanks. Per that link, does the Firepower FTD (FTD code) stop allowing new connections when the syslog becomes unavailable as well?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎03-21-2023 10:37 AM

@CiscoPurpleBelt there is a default check box in the platform settings for syslog server that says "Allow users traffic to pass when TCP syslog server is down". If you uncheck that box and apply that platform settings with a tcp syslog server, new connections will be blocked it the configured syslog server is unavailable.

This is equivalent to the ASA command "no logging permit-hostdown".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card