This is your administrative nerve center for managing critical Cisco network security solutions. It provides complete and unified management over firewalls.
Does this information look incorrect or out-of-date? Please contact us at support@socos.io.
If you will use syslog or store events externally, avoid special characters in object names such as policy and rule names. Object names should not contain special characters, such as commas, that the receiving application may use as separators.
- Configure FTD platform settings (Devices > Platform Settings > Threat Defense Settings > Syslog.)
- See also FTD Platform Settings That Apply to Security Event Syslog Messages.
- In your access control policy Logging tab, opt to use the FTD platform settings.
- (For intrusion events) Configure intrusion policies to use the settings in your access control policy Logging tab. (This is the default.)
Overriding any of these settings is not recommended.
For essential details, see Send Security Event Syslog Messages from FTD Devices.
- Create an alert response.
- Configure access control policy Logging to use the alert response.
- (For intrusion events) Configure syslog settings in intrusion policies.
For complete details, see Send Security Event Syslog Messages from Classic Devices.
- In Firepower Management Center, configure policies to generate security events and verify that the events you expect to see appear in the applicable tables under the Analysis menu.
- Gather the syslog server IP address, port, and protocol (UDP or TCP):
- Ensure that your devices can reach the syslog server(s).
- Confirm that the syslog server(s) can accept remote messages.
- For important information about connection logging, see the chapter on Connection Logging.
- Click Devices > Platform Settings.
- Edit the platform settings policy associated with your FTD device.
- In the left navigation pane, click Syslog.
- Click Syslog Servers and click Add to enter server, protocol, interface, and related information. If you have questions about options on this page, see Configure a Syslog Server.
- Click Syslog Settings and configure the following settings:
- Enable Timestamp on Syslog Messages
- Timestamp Format
- Enable Syslog Device ID
- Click Logging Setup.
- Select whether or not to Send syslogs in EMBLEM format.
- Save your settings.
- Click Policies > Access Control.
- Edit the applicable access control policy.
- Click Logging.
- Select FTD 6.3 and later: Use the syslog settings configured in the FTD Platform Settings policy deployed on the device.
- (Optional) Select a Syslog Severity.
- If you will send file and malware events, select Send Syslog messages for File and Malware events.
- Click Save.
- In the same access control policy, click the Security Intelligence tab.
- In each of the following locations, click Logging and enable beginning and end of connections and Syslog Server:
- Beside DNS Policy.
- In the Block List box, for Networks and for URLs.
- Click Save.
- In the same access control policy, click the Rules tab.
- Click a rule to edit.
- Click the Logging tab in the rule.
- Choose whether to log the beginning or end of connections, or both.
- (Connection logging generates a lot of data; logging both beginning and end generates roughly double that much data. Not every connection can be logged both at beginning and end.)
- If you will log file events, select Log Files.
- Enable Syslog Server.
- Verify that the rule is "Using default syslog configuration in Access Control Logging."
- Click Add.
- Repeat for each rule in the policy.
- Navigate to the intrusion policy associated with your access control policy.
- In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.
- If necessary, click Edit
- Enter options:
-
Logging Host
Unless you will send intrusion event syslog messages to a different syslog server than you will send other syslog messages, leave this blank to use the settings you have configured above.
-
Facility
This setting is applicable only if you specify a Logging Host on this page.
For descriptions, see Syslog Alert Facilities.
-
Severity
This setting is applicable only if you specify a Logging Host on this page.
For descriptions, see Syslog Severity Levels.
- Click Back.
- Click Policy Information in the left navigation pane.
- Click Commit Changes.
Before you begin
- Configure policies to generate security events.
- Ensure that your devices can reach the syslog server(s).
- Confirm that the syslog server(s) can accept remote messages.
See Creating a Syslog Alert Response.
- Click Policies > Access Control.
- Edit the applicable access control policy.
- Click Logging.
- Select Send using specific syslog alert.
- Select the Syslog Alert you created above.
- Click Save.
¶ Step Three - If you will send file and malware events:
- Select Send Syslog messages for File and Malware events.
- Click Save.
- Navigate to the intrusion policy associated with your access control policy.
- In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.
- If necessary, click Edit
- Enter options:
-
Logging Host
Unless you will send intrusion event syslog messages to a different syslog server than you will send other syslog messages, leave this blank to use the settings you have configured above.
-
Facility
This setting is applicable only if you specify a Logging Host on this page.
See Syslog Alert Facilities.
-
Severity
This setting is applicable only if you specify a Logging Host on this page.
See Syslog Severity Levels.
- Click Back.
- Click Policy Information in the left navigation pane.
- Click Commit Changes.