Skip to main content

 

 

Cisco Defense Orchestrator

Syslog Server Objects

About Syslog Server Objects

FTDs have a limited capacity to store events. To maximize storage for events, you can configure an external server. A system log (syslog) server object identifies a server that can receive connection-oriented or diagnostic syslog messages. If you have a syslog server set up for log collection and analysis, you can use the Defense Orchestrator to create objects to define them and use the objects in the related policies.

Create Syslog Server Objects

To create a new syslog server object, follow these steps:

  1. In the navigation bar, click Objects.
  2. Click the Create Object button blue_cross_button.png.
  3. Select Syslog Server under FTD object types
  4. Configure the syslog server object properties:
  • IP Address—Enter the IP address of the syslog server. 
  • Protocol Type— Select the protocol that your syslog server uses to receive messages. If you select TCP, the system can recognize when the syslog server is not available, and stops sending events until the server is available again.
  • Port Number—Enter a valid port number to use for syslog. If your syslog server uses default ports, enter 514 as the default UDP port or 1470 as the default TCP port. If the server does not use default ports, enter the correct port number. The port must be in the range 1025 to 65535.
  • Select an interface—Select which interface should be used for sending diagnostic syslog messages. Connection and intrusion events always use the management interface. Your interface selection determines the IP address associated with syslog messages. Note that you can only select one of the options listed below. You cannot select both. Select one of the following options:
    • Data Interface—Use the data interface you select for diagnostic syslog messages. Select an interface from the generated list. If the server is accessible through a bridge group member interface, select the bridge group interface (BVI). If it is accessible through the Diagnostic interface (the physical management interface), we recommend that you select Management Interface instead of this option. You cannot select a passive interface. 
      For connection and intrusion syslog messages, the source IP address will either be for the management interface, or for the gateway interface if you route through data interfaces.
    • Management Interface—Use the virtual management interface for all types of syslog messages. The source IP address will either be for the management interface, or for the gateway interface if you route through data interfaces.
  1. Click Add
  2.  Return to the Devices & Services page and Preview and Deploy the changes from Defense Orchestrator to FTD.

Edit Syslog Server Objects

To edit an existing syslog server object, follow these steps:

  1. In the navigation bar, click Objects.
  2. Locate the desired syslog server object and select it. You can filter filter_icon.png the object list by the syslog server object type.
  3. In the Actions pane, click Edit.
  4. Make the desired edits and click Save
  5. Confirm the changes you made. 
  6. Return to the Devices & Services page and Preview and Deploy the changes from Defense Orchestrator to FTD.  

 

Related Topics

  • Was this article helpful?