Enable Advanced Logging

Configure the Firewall Threat Defense device to generate Snort 3 inspector logs that includes application-specific and protocol-specific data and send these logs to event management solutions for analysis.

Caution

Advanced logging might cause a performance drop within the network if used without the filters configured in the access control rule. Filter the specific traffic types using the access control rules to reduce the volume of logged traffic. Use the networks and ports in the access control rules to limit logging to a particular network configuration.

Before you begin

  • Ensure that connection logging is enabled in your access control policy.

  • Ensure that you have configured the logging destination, such as Splunk or the local syslog server, to which you want to send the logs.

Procedure

Step 1

Choose Policies > Access Control heading > Access Control.

Step 2

Click Edit (edit icon) next to the access control policy that you want to edit.

If View (View button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 3

In the access control policy editor, select Advanced Settings from the More drop-down menu at the end of the packet flow line.

Step 4

Click the Edit (edit icon) icon next to Advanced Logging.

Step 5

Check the Enable advanced logging check box to enable logging.

Step 6

Choose the log file format. By default, JSON format is selected.

Step 7

You can send event logs to the default logging destination configured in the access control policy's logging settings, or to one or more of the following destinations:

  • All Splunk profiles
  • Syslog
Note

  • If you choose to send event logs to the default logging destination configured in the access control policy, note that advanced logging does not support sending logs to the syslog server configured in the platform settings. You must configure a syslog alert server as the default logging destination.

  • If you choose the All Splunk profiles option, note that advanced logs are sent to all Splunk profiles configured for a Firewall Threat Defense device.

  • Advanced logging does not support Splunk profiles that use data interfaces for sending events to Splunk. To send events to Splunk, you must configure the Splunk profiles to use the management interface for sending events.

Caution

Sending advanced logging syslog to multiple destinations might impact device's performance.

Step 8

Click Save.

Step 9

Click Save to save the policy.

What to do next

Deploy configuration changes.