Logging Settings for Access Control Policies

To configure logging settings for an access control policy, select Logging from the More drop-down arrow at the end of the packet flow line.

You can configure default syslog destinations and syslog alert for the access control policy. The settings are applicable to the access control policy and all the included SSL/TLS decryption, prefilter, and intrusion policies unless the syslog destination settings are explicitly overridden with custom settings in included rules and policies.

Logging for connections handled by the default action is initially disabled.

IPS and File and Malware Settings are effective only after you have selected an option at the top of the page for sending syslog messages generally.

Default Syslog Settings

  • Send using specific syslog alert—If you select this option, the events are sent based on the selected syslog alert as configured using the instructions in Creating a Syslog Alert Response. You can select the syslog alert from the list or add one by specifying the name, logging host, port, facility, and severity. For more information, see Facilities and Severities for Intrusion Syslog Alerts. This option is applicable to all devices.

    When using this option, the system sends syslog messages to the server using the Management interface. Ensure there is a route from the Management interface to the syslog server, or messages will not arrive at the server.

  • Use the syslog settings configured in the Threat Defense Platform Settings policy deployed on the device—If you select this option and select the severity, connection or intrusion events are sent with the selected severity to syslog collectors configured in Platform Settings. Using this option, you can unify the syslog configuration by configuring it in Platform Settings and reusing the settings in access control policy. Severity selected in this section is applied to all connection and intrusion events. The default severity is ALERT.

    This option is applicable only to Secure Firewall Threat Defense devices 6.3 and later.

IPS Settings

  • Send Syslog messages for IPS events—Send IPS events as syslog messages. The defaults set above are used unless you override them.

  • Show/Hide Overrides—If you want to use the default syslog destination and severity, leaves these options empty. Otherwise, you can set a different syslog server destination for IPS events, and change the severity of the events.

File and Malware Settings

  • Send Syslog messages for File and Malware events—Send file and malware events as syslog messages. The defaults set above are used unless you override them.

  • Show/Hide Overrides—If you want to use the default syslog destination and severity, leaves these options empty. Otherwise, you can set a different syslog server destination for file and malware events, and change the severity of the events.