Enable Logging Destinations

You must enable a logging destination to see messages at that destination. When enabling a destination, you must also specify the message filter for the destination.

Tip	If you are configuring devices to send syslog messages about security events (such as connection and intrusion events), most threat defense platform settings do not apply to these messages. See Threat Defense Platform Settings That Apply to Security Event Syslog Messages.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select Syslog > Logging Destinations.

Step 3

Click Add to enable a destination and apply a logging filter, or edit an existing destination.

Step 4

In the Logging Destinations dialog box, select a destination and configure the filter to use for a destination:

Choose the destination you are enabling in the Logging Destination drop-down list. You can create one filter per destination: Console, E-Mail, Internal buffer, SNMP trap, SSH Sessions, and Syslog servers.

Note

Console and SSH session logging works in the diagnostic CLI only. Enter system support diagnostic-cli .
In Event Class, choose the filter that will apply to all classes not listed in the table.
You can configure these filters:
- Filter on severity —Select the severity level. Messages at this level or higher are sent to the destination
- Use Event List —Select the event list that defines the filter. You create these lists on the Event Lists page.
- Disable Logging —Prevents messages from being sent to this destination.
If you want to create filters per event class, click Add to create a new filter, or edit an existing filter, and select the event class and severity level to limit messages in that class. Click OK to save the filter.

For an explanation of the event classes, see Syslog Message Classes.
Click OK .

Step 5

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.