Configure logging and basic settings

Enable logging and configure syslog settings so the system generates and manages logs for data plane events. This setup ensures log data is archived and available for analysis or reporting.

Perform this task when you need to generate syslog messages for data plane events and manage log storage on your device. You can manipulate saved logging data. You can also specify actions for certain syslog messages, extract data for reporting, or track statistics using scripts.

Tip

If you are configuring devices to send syslog messages about security events (such as connection and intrusion events), most Firewall Threat Defense platform settings do not apply to these messages. See Firewall Threat Defense platform settings that apply to security event syslog messages.

Before you begin

  • Determine where logs should be stored, such as an FTP server or flash memory.

  • Understand the desired logging level (critical, alerts, emergencies, errors, etc)

  • Identify if logging should be enabled on standby or failover units.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select Syslog > Logging Setup in your device's configuration interface.

Step 3

Enable logging and configure basic logging settings.

  • Enable Logging—Turns on the data plane system logging.
  • Enable Logging on the Failover Standby Unit—Turns on logging for the standby device, if available.
  • Send syslogs in EMBLEM format—Enables EMBLEM format logging for every logging destination. If you enable EMBLEM, you must use the UDP protocol to publish syslog messages. EMBLEM is not compatible with TCP.

    The EMBLEM syslog format is a Cisco-specific convention that is built upon the RFC 3164 and RFC 5424 standards. When EMBLEM is enabled, the syslog message prints a colon (:) after the <PRI> field, which differs from the RFC 5424 format.

    Note

    Syslog messages in RFC5424 format, typically displays the priority value (PRI). However, in Cloud-Delivered Firewall Management Center, if you want to display the PRI value in the syslog messages of the managed Firewall Threat Defense device, ensure to enable the EMBLEM format. Also, the device ID does not appear in EMBLEM-formatted syslog messages.

  • Send debug messages as syslogs—Redirects debug trace output to the syslog. The syslog message number is 711001 and the default logging level is set to debug. To view these messages, ensure logging is enabled at the console and configured for the debug syslog message number and level.
  • Memory Size of Internal Buffer—Specify the size of the internal buffer to which syslog messages are saved if the logging buffer is enabled. When the buffer fills up, it is overwritten. The default is 4096 bytes. The range is 4096 to 52428800 bytes.

Step 4

(Optional) Configure the syslog message logging to the Security Cloud Control.

  1. Click the All Logs radio button to enable logging all the troubleshooting syslog messages corresponding to the selected severity level or click the VPN Logs radio button to enable logging only the VPN troubleshooting messages corresponding to the selected severity level.

  2. Choose the syslog severity level for the logging messages in the Logging Level drop-down list.

    • The logging level for All Logs is set to critical by default. You can choose to send syslog messages with severity levels critical, alerts, or emergencies to the Cloud-Delivered Firewall Management Center.

    • The logging level for the VPN messages is set to errors by default.

      VPN troubleshooting syslogs can add excessive load on the Cloud-Delivered Firewall Management Center. Hence, enable this option with caution. Also, when you configure a device with site-to-site or remote access VPN, it automatically enables sending VPN syslogs to the management center by default. We recommend that you limit the logging level to error and above to restrict the excessive flow of syslogs to the Cloud-Delivered Firewall Management Center, especially in case of RAVPN, where multiple devices are involved.

    For information on the levels, see Syslog message severity levels.

Step 5

(Optional) Save log buffer contents to an FTP server before the buffer is overwritten.

  • Enable FTP Server Buffer Wrap and enter the necessary destination information in the following fields.
  • IP Address—Select the host network object that contains the IP address of the FTP server.
  • User Name—Enter the username to use when connecting to the FTP server.
  • Path—Enter the path, relative to the FTP root, where the buffer contents should be saved.
  • Password/ Confirm—Enter and confirm the password used to authenticate the username to the FTP server.

Step 6

(Optional) Save log buffer contents to flash memory before overwriting.

  • Check the Flash checkbox
  • Specify Maximum flash to be used by logging (KB) (range: 4-8044176 KB).
  • Specify Minimum free space to be preserved (KB) (range: 0-8044176 kilobytes.

Step 7

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Logging is enabled and syslog messages are generated and stored based on your configuration. Log data is archived as specified and is accessible for further analysis or reporting.