Configure a syslog server

This task enables you to configure a syslog server for your device, allowing you to collect and monitor system-generated messages for security and operational visibility.

To configure a syslog server to handle messages generated from your system, perform this task.

If you want this syslog server to receive security events such as connection and intrusion events, see also Firewall Threat Defense platform settings that apply to security event syslog messages.

Note

In version 7.4 and later, the Management and Diagnostic interfaces are merged. If Platform Settings for syslog servers or SNMP hosts specify the Diagnostic interface by name, you must use separate Platform Settings policies for merged and unmerged devices. This requirement also applies to version 7.3 and earlier, and to some Firewall Threat Defense devices upgraded to version 7.4.

Before you begin

  • See requirements in Guidelines for logging.

  • Make sure your devices can reach your syslog collector on the network.

  • Ensure that only a public syslog server is configured. If you configure a local syslog server, health alerts will not be sent to syslog.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select Syslog > Syslog Server.

Step 3

Check the Allow user traffic to pass when TCP syslog server is down (Recommended) check box, to allow traffic if any syslog server that is using the TCP protocol is down.

Note

  • This option is enabled by default. Unless required, we recommend that you allow connections through the threat defense device when the external TCP syslog server is unreachable by the device.

  • When the Allow user traffic to pass when TCP syslog server is down option is disabled in Cloud-Delivered Firewall Management Center version 6.2.x or earlier, it remains in the Disabled state even after upgrading to version 6.3 or later. You must manually enable this option.

  • If this option is disabled and more than one TCP syslog server is configured on the device, user traffic is allowed if at least one server is reachable by thethreat defense device. This option only blocks traffic when none of the configured TCP syslog servers are reachable. The device generates a syslog message that describes the root cause of denied traffic.

    %FTD-3-414003: TCP Syslog Server intf : IP_Address /port not responding. New connections are denied based on logging permit-hostdown policy

Step 4

In the Message queue size (messages) field, enter the queue size for storing syslog messages on the security appliance when the syslog server is busy. The minimum is 1 message. The default is 512. Specify 0 to allow an unlimited number of messages to be queued (subject to available block memory).

If the number of messages exceeds the configured queue size, the excess messages are dropped, resulting in missing syslog entries. To determine the ideal queue size, you need to identify the available block memory. Use the show blocks command to know the current memory utilization. For more information on the command and its attributes, see Cisco Secure Firewall ASA Series Command Reference Guide. Contact Cisco TAC for assistance.

Step 5

Click Add to add a new syslog server.

  1. In the IP Address drop-down list, select a network host object containing the IP address of the syslog server.

  2. Choose the protocol, either TCP or UDP, and enter the port number used for communication between the Firewall Threat Defense device and the syslog server.

    UDP is faster and uses fewer resources than TCP on the device.

    The default port for UDP is 514. You must manually configure port 1470 for TCP. Valid non-default port values for either protocol are 1025 through 65535.

  3. Check the Log messages in Cisco EMBLEM format (UDP only) check box to specify whether to log messages in Cisco EMBLEM format (available only if UDP is selected as the protocol).

    The EMBLEM syslog format is a Cisco-specific convention that is built upon the RFC 3164 and RFC 5424 standards. Hence, when EMBLEM is enabled, the syslog message prints colon (:) after <PRI> field.

    Note

    Syslog messages in RFC5424 format typically displays the priority value, referred to as PRI. However, in Cloud-Delivered Firewall Management Center, only when you enable logging in Cisco EMBLEM format, the PRI value in the syslog messages of the managed Firewall Threat Defense is displayed. Also, the device ID does not appear in EMBLEM-formatted syslog messages.

  4. Check the Enable Secure Syslog check box to encrypt the connection between the device and server using SSL or TLS over TCP.

    Note

    You must select TCP as the protocol and its port value ranging between 1025 and 65535 to use this option. Upload the certificate required to communicate with the syslog server on the Devices > Certificates page. Then, upload the certificate from the Firewall Threat Defense device to the syslog server to complete the secure relationship and allow it to decrypt the traffic. The Enable Secure Syslog option is not supported on the device Management interface.

  5. Add the zones that contain the interfaces used to communicate with the syslog server. For interfaces not assigned to a zone, type the interface name into the field under the Selected Zones/Interface list and click Add. The rules apply only when the device includes the selected interfaces or zones.

    Note

    If the syslog server exists on the network attached to the physical Management interface, type the interface name into the Interface Name field under the Selected Security Zones list and click Add. Configure this name and the IP address for the Diagnostic interface as well. To do this, edit the device settings from the Device Management page and select the Interfaces tab. For more information about the management or diagnostic interface, see Diagnostic Interface.

  6. Select Device Management Interface or Security Zones or Named Interfaces to communicate with the syslog server.

    • Device Management Interface: Send syslogs out of the Management interface. We recommend that you use this option when configuring syslog on Snort events.

      Note

      The Device Management Interface option does not support the Enable Secure Syslog option.

    • Security Zones or Named Interfaces: Select the interfaces from the list of Available Zones and click Add. You can also add virtual-router-aware interfaces.

      Important

      The Firewall Threat Defense data plane (Lina) syslog messages cannot be sent out through the diagnostic interface. Configure other interfaces or the Management interface (Br1/Management0) to send out the data plane syslog messages.

  7. Click OK.

Step 6

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

  • Deploy configuration changes.