Skip to main content

 

 

Cisco Defense Orchestrator

Send Secure Firewall Cloud Native Syslog Events to the Cisco Cloud

This procedure explains how to forward Secure Firewall Cloud Native syslog events to a Secure Event Connector (SEC) and then enable logging. These procedures explain only what is needed to complete that workflow. 

Note: The commands must be entered in the configuration file of the firewall. 

Before you begin

Caution: This procedure is for advanced users who are familiar with the syntax of the device's configuration file. This method makes changes directly to the copy of the configuration file stored on the Defense Orchestrator. Therefore, we recommend you back up the existing device configuration before making the modifications. You can restore the backup configuration when needed.

  1. In the CDO navigation bar, click Devices & Services.
  2. Select the Secure Firewall Cloud Native device whose configuration it is you want to modify.
  3. In the Management pane on the right, click Configuration
  4. Click Download.

Procedure

To forward Secure Firewall Cloud Native syslog events to one of the Secure Event Connectors (SECs), complete these tasks in the procedure that follows.

  1. In the Device Configuration tab, click Edit
  2. In the configuration file, create a new CRD entry anywhere before the "snmp-server-config" and enter the commands discussed below. 

Commands:

########## CRD ### name: entry-name, order: order-number, generation: 1 ##########
    logging enable
    logging timestamp
    logging trap {severity_level | message_list}
    logging list name {level level [class message_class] | message start_id[-end_id]}
    logging host interface_name SEC_IP_address [[tcp/port] | [udp/port]]
    logging host interface_name SEC_IP_address [[tcp/port] | [udp/port]]
    logging permit-hostdown

Example: 

########## CRD ### name: syslog-events, order: 4, generation: 3 ##########
    logging enable
    logging timestamp
    logging list sfcn_syslogs_to_cloud level critical
    logging list sfcn_syslogs_to_cloud level warnings class ha
    logging list sfcn_syslogs_to_cloud message 302013-302018
    logging trap sfcn_syslogs_to_cloud
    logging host outside 192.168.1.5 17/10125
    logging host outside 192.168.1.5 6/10025
    logging permit-hostdown
  • entry-name: Specify a name for the CRD entry. Do not use underscore '_' in the name.
  • order-number: Specify the order for executing the command in the desired sequence. It must be a unique number before the highest number used in the configuration file.  
  • logging enable: Logging is enabled for the entire device, not for individual rules. Note: At this time, CDO does not support enabling secure logging.
  • logging timestamp: Add the date and time that the syslog message originated on the firewall to the message using the logging timestamp command. The timestamp value is displayed in the SyslogTimestamp field.
  • logging trap {severity_level | message_list}: 

Specify which syslog messages should be sent to the syslog server with the following command:

Examples:

logging trap 3
logging trap sfcn_syslogs_to_cloud

You can specify the severity level number (1 through 7) or name. For example, if you set the severity level to 3, then the sfcn sends syslog messages for severity levels 3, 2, and 1. 

The message_list argument is replaced with the name of a custom event list, if you have created one. When specifying a custom event list, you only send the syslog messages that are in that list to the Secure Event Connector.  In the example above, sfcn_syslogs_to_cloud is the name of the event list. 

Using a message_list could save you money by tightly defining which syslog messages are sent to the Cisco cloud.

  • logging list name {level level [class message_class] | message start_id[-end_id]}

Use this command syntax to issue the logging list command to the firewall.

The name argument specifies the name of the list. The level level keyword and argument pair specify the severity level. The class message_class keyword-argument pair specify a particular message class. The message start_id [-end_id] keyword-argument pair specify an individual syslog message number or a range of numbers. 

Add syslog messages based on other criteria to the event list: 

Enter the same command as in the previous step, specifying the name of the existing message list and the additional criterion. Enter a new command for each criterion that you want to add to the list. For example, you can specify criteria for syslog messages to be included in the list as the following:

  • Syslog message IDs that fall into the range of 302013-302018.
  • All syslog messages with the critical severity level or higher (emergency, alert, or critical).
  • All HA class syslog messages with the warning severity level or higher (emergency, alert, critical, error, or warning).

Note: A syslog message is logged if it satisfies any of these conditions. If a syslog message satisfies more than one of the conditions, the message is logged only once. 

  • logging host interface_name SEC_IP_address [[tcp/port] | [udp/port]]
    logging host interface_name SEC_IP_address [[tcp/port] | [udp/port]]

Configure the Secure Firewall Cloud Native to send messages, using TCP or UDP, to the SEC as if it were a syslog server. The SEC can use an IPv4 or IPv6 addresss. You will be sending events to either a TCP or UDP port. See Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics and Logging to determine what ports you should use.

logging host interface_name SEC_IP_address [[tcp/port] | [udp/port]]

Here is an example of the logging host command syntax:

logging host outside 192.168.1.5 tcp/10125
logging host outside 192.168.1.5 udp/10025
logging host outside 2002::1:1 tcp/10125
logging host outside 2002::1:1 udp/10025
  • The interface_name argument specifies the Secure Firewall Cloud Native interface from which messages are sent to the syslog server. It is a "best practice" to send the syslog messages to the SEC from the same Secure Firewall Cloud Native interface used to communicate with the SDC. 
  • The SEC_IP_address argument should contain the IP address of the VM on which the SEC is installed. 
  • The tcp/port or udp/port keyword-argument pair specifies that syslog messages should be sent using either TCP protocol and relevant port, or the UDP protocol and relevant port. You can configure the Secure Firewall Cloud Native to send data to a syslog server using either UDP or TCP, but not both. The default protocol is UDP if you do not specify a protocol.

If you specify TCP, the Secure Firewall Cloud Native will discover syslog server failures and as a security protection, new connections through the Secure Firewall Cloud Native are blocked. To allow new connections regardless of connectivity to a TCP syslog server, see step b. If you specify UDP, the Secure Firewall Cloud Native continues to allow new connections whether or not the syslog server is operational. 

Note: If you want to send Secure Firewall Cloud Native messages to two separate syslog servers, you can run a second logging host command with the appropriate interface, IP address, protocol, and port of the other syslog server.

  • logging permit-hostdown

(Optional) If you send events to the SEC over TCP, and if either the SEC is down or the log queue on the Secure Firewall Cloud Native is full, then new connections are blocked. New connections are allowed again after the syslog server is back up and the log queue is no longer full. To allow new connections regardless of connectivity to a TCP syslog server, disable the feature to block new connections when a TCP-connected syslog server is down using this command. 

  1. Click Save.
  2. Deploy the configuration changes to the firewall.