Stream Audit Logs to Syslog

When this feature is enabled, audit log records appear in the syslog in the following format:

Date Time Host: [Tag] Sender: User_Name@User_IP, Subsystem, Action

Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending device name precedes the audit log message.

For example, if you specify a tag of FMC-AUDIT-LOG for audit log messages from your management center, a sample audit log message from your Cloud-Delivered Firewall Management Center could appear as follows:

Mar 01 14:45:24 localhost: [FMC-AUDIT-LOG] Dev-MC7000: admin@10.1.1.2, Operations > Monitoring, Page View

If you specify a severity and facility, these values do not appear in syslog messages; instead, they tell the system that receives the syslog messages how to categorize them.

Before you begin

Make sure the Cloud-Delivered Firewall Management Center can communicate with the syslog server. When you save your configuration, the system uses ICMP/ARP and TCP SYN packets to verify that the syslog server is reachable. Then, the system by default uses port 514/UDP to stream audit logs. If you secure the channel, you must manually configure port 1470 for TCP.

Procedure

Step 1

Choose Administration > Configuration.

Step 2

Click Audit Log.

Step 3

Choose Enabled from the Send Audit Log to Syslog drop-down menu.

Step 4

The following fields are applicable only for audit logs sent to syslog:

Option

Description

Send Configuration Changes

To include configuration changes syslog in the audit log streaming, from the drop-down, select the relevant options:

  • JSON—the syslog includes detailed differences in the configuration changes.

  • API—the syslog includes API to retrieve the detailed differences in the configuration changes.

  • None—to have all other audit logs except details of the configuration changes.

Host

The IP address or the fully qualified name of the syslog server to which you will send audit logs. You can add a maximum of five syslog hosts, separated by commas.

Note

You can specify multiple syslog hosts, only when TLS is disabled for the Audit Server Certificate.

Facility

The subsystem that creates the message.

Choose a facility described in Syslog alert facilities. For example, choose AUDIT.

Severity

The severity of the message.

Choose a severity described in Syslog severity levels.

Tag

An optional tag to include in audit log syslog messages.

Best practice: Enter a value in this field to easily differentiate audit log messages from other, similar syslog messages such as health alerts.

For example, if you want all audit log records sent to the syslog to be labeled with FMC-AUDIT-LOG, enter FMC-AUDIT-LOG in the field.

Step 5

(Optional) To test whether the IP address of the syslog servers is valid, click Test Syslog Server.

The system sends the following packets to verify whether the syslog server is reachable:

  1. ICMP echo request

  2. TCP SYN on 443 and 80 ports

  3. ICMP time stamp query

  4. TCP SYN on random ports

Note

If the Cloud-Delivered Firewall Management Center and syslog server are in the same subnet, ARP is used instead of ICMP.

The system displays the result for each server.

Step 6

Click Save.