Configure syslog settings

Configure syslog settings to manage how syslog messages are generated and sent to external syslog servers. You can specify the facility code, timestamp, device ID, and control message severity and suppression.

General syslog settings let you choose what information is included in syslog messages sent to syslog servers. This information includes the facility code, timestamp, device ID, severity levels, and message suppression. If you configure devices to send syslog messages about security events (such as connection and intrusion events), some settings do not apply to messages that relate to security events. See Firewall Threat Defense platform settings that apply to security event syslog messages.

Before you begin

Make sure you have access to the device and the permissions needed to change syslog settings.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select Syslog > Syslog Settings.

Step 3

Choose a system log facility from the Facility list as required by your syslog server.

Most UNIX systems use the default LOCAL4(20). Change the facility if your network devices use the same codes. In most cases, you do not need to set the facility value for security event logs.

Step 4

Select the Enable timestamp on each syslog message check box to include the date and time a message was generated in the syslog message.

Step 5

Select the desired Timestamp Format:

  • Legacy (MMM dd yyyy HH:mm:ss): Default format without a timezone (always UTC).

  • RFC 5424 (yyyy-MM-ddTHH:mm:ssZ): Uses ISO 8601 with “Z” indicating UTC.

Step 6

To add a device identifier at the start of messages, check the Enable Syslog Device ID check box and select the identifier type:

  • Interface—Use the IP address of a specific interface.
    Note

    VTI tunnel interfaces are not supported for Syslog.

  • User Defined ID—Enter a custom text string (up to 16 characters).
  • Host Name—Use the device’s hostname.

Step 7

Use the Syslog Message table to adjust severity or suppress messages:

Change a message's severity level or disable its generation if necessary. By default, syslog entries for NetFlow are enabled and appear in the table.

  1. To suppress redundant messages due to NetFlow, select Netflow Equivalent Syslogs.

    This adds the messages to the table as suppressed messages.

    Note

    If any of these syslog equivalents are already in the table, your existing rules are not overwritten.

  2. To add a rule, click Add.

  3. Select the message number (Syslog ID) to change, from the Syslog ID drop-down list.

  4. Choose the new severity level from the Logging Level drop-down list or select Suppressed to disable the generation of the message. Usually, you do not change both the severity level and disable the message. However, you can modify both fields if you want.

  5. Click OK to add the rule to the table.

Step 8

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

  • Deploy configuration changes.