Guidelines for logging

The syslog server must run a server program called syslogd. Windows includes a syslog server as part of its operating system.

The syslog server operates based on the syslog-ng process of the firewall system. Do not use external configuration files, such as the scwx.conf file from SecureWorks. Because these files are not compatible with the device, using them causes parsing errors and the syslog-ng process fails.

You can configure up to 16 syslog servers.

Assign only one list or class to each syslog server and location.

Do not configure Cloud-Delivered Firewall Management Center as a primary syslog server. The Cloud-Delivered Firewall Management Center can log some syslogs. However, it does not have adequate storage provision to accommodate large amounts of information from connection events for every sensor, especially when multiple sensors are used and all send syslogs.

The syslog server should be reachable through the Firewall Threat Defense device. Configure the device to deny ICMP unreachable messages on the interface through which the syslog server is reachable, and to send syslogs to the same server. Enable logging for all severity levels. To prevent the syslog server from crashing, suppress the generation of syslogs 313001, 313004, and 313005.

To view logs generated by the Firewall Threat Defense device, you must specify a logging output destination. If you enable logging without specifying a logging output destination, the Firewall Threat Defense device generates messages but does not save them to a location from which you can view them. You must specify each different logging output destination separately.

The Firewall Threat Defense syslog supports one-way TLS for secure logging. It does not support client certificate authentication, trustpoint configuration for syslog, or mutual TLS (X.509 certificate authentication).

Determining the egress interface for the syslog:

• If the specified management-only interface has management-access enabled, the management center will perform route table lookups and determine the egress interface (could be data or management) based on best routing logic.

• If you configure a management-only interface as logging host, that does not have management-access enabled, the management center will use the interface regardless of routing table entries.

  Thus, for the management center to always uses a dedicated management path for syslog traffic, configure the management interface without management-access, and then specify the interface in the logging host:

  
  interface <management-interface>
  management-only ----->Do not include management-access
  logging host <management-interface> <syslog-server-ip>                                

When the syslog rate exceeds 50,000 messages per second, ensure that a data interface is used as egress interface rather than a management interface.

Configure the data interface as the syslog source interface for production monitoring and auditing. Use the management interface only for temporary testing. This approach ensures optimal syslog reliability and prevents rate-limiting on the management interface.

The number of UDP connections for syslog is directly related to the number of CPUs on the hardware platform and the number of syslog servers you configure. At any point in time, there can be as many UDP syslog connections as there are CPUs times the number of configured syslog servers. The global UDP connection idle timeout applies to these sessions, and the default duration is two minutes. You can adjust this setting to close sessions more quickly, but the timeout applies to all UDP connections, not just syslog. This is the intended behavior.

When the Firewall Threat Defense device sends syslogs via TCP, the connection takes about one minute to initiate after the syslogd service restarts.

When the TCP logging host goes down, it takes approximately six minutes to change its connection status from Connected to Not connected. Logging relies on TCP to detect the channel state; until then, logging sends the logs through the channel. During this time, when you execute the show log , the output would display the TCP logging host as connected. Once the TCP channel is closed, the TCP logging host state is updated to Not connected.