Configure a Syslog Server

To configure a syslog server to handle messages generated from your system, perform the following steps.

If you want this syslog server to receive security events such as connection and intrusion events, see also Threat Defense Platform Settings That Apply to Security Event Syslog Messages.

Note

In 7.4 and later, the Management and Diagnostic interfaces are merged. If Platform Settings for syslog servers or SNMP hosts specify the Diagnostic interface by name, then you must use separate Platform Settings policies for merged and unmerged devices (7.3 and earlier, and some upgraded 7.4 threat defenses).

Before you begin

  • See requirements in Guidelines for Logging.

  • Make sure your devices can reach your syslog collector on the network.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select Syslog > Syslog Server.

Step 3

Check the Allow user traffic to pass when TCP syslog server is down (Recommended) check box, to allow traffic if any syslog server that is using the TCP protocol is down.

Note

  • This option is enabled by default. Unless required, we recommend that you allow connections through the threat defense device when the external TCP syslog server is unreachable by the device.

  • When the Allow user traffic to pass when TCP syslog server is down option is disabled in management center version 6.2.x or earlier, it persist to be in the Disable state even after upgrading to version 6.3 or later. Ensure that you manually enable it.

  • With this option disabled, and when more than one TCP syslog server configured in the device, the user traffic is allowed to pass if atleast one of the servers is reacheable by the threat defense device. Thus, the disabled option is applied only when none of the TCP syslog servers configured in the device are reachable. The device generates the following syslog that describes the root cause of the denied traffic through the device:

    %FTD-3-414003: TCP Syslog Server intf : IP_Address /port not responding. New connections are denied based on logging permit-hostdown policy

Step 4

In the Message queue size (messages) field, enter a size of the queue for storing syslog messages on the security appliance when syslog server is busy. The minimum is 1 message. The default is 512. Specify 0 to allow an unlimited number of messages to be queued (subject to available block memory).

When the messages exceed the configured queue size, they are dropped and result in missing syslog. To determine the ideal queue size, you need to identify the available block memory. Use the show blocks command to know the current memory utilization. For more information on the command and its attributes, see Cisco Secure Firewall ASA Series Command Reference Guide. For further assistance, contact Cisco TAC.

Step 5

Click Add to add a new syslog server.

  1. In the IP Address drop-down list, select a network host object that contains the IP address of the syslog server.

  2. Choose the protocol (either TCP or UDP) and enter the port number for communications between the threat defense device and the syslog server.

    UDP is faster and uses less resources on the device than TCP.

    The default port for UDP is 514. You must manually configure port 1470 for TCP. Valid non-default port values for either protocol are 1025 through 65535.

  3. Check the Log messages in Cisco EMBLEM format (UDP only) check box to specify whether to log messages in Cisco EMBLEM format (available only if UDP is selected as the protocol).

    Note

    Syslog messages in RFC5424 format, typically displays the priority value (PRI). However, in management center, only when you enable logging in Cisco EMBLEM format, the PRI value in the syslog messages of the managed threat defense is displayed. For more information on PRI, see RFC5424.

  4. Check the Enable Secure Syslog check box to encrypt the connection between the device and server using SSL/TLS over TCP.

    Note

    You must select TCP as the protocol and its port value ranging between 1025 and 65535 to use this option. You must also upload the certificate required to communicate with the syslog server on the Devices > Certificates page. Finally, upload the certificate from the threat defense device to the syslog server to complete the secure relationship and allow it to decrypt the traffic. The Enable Secure Syslog option is not supported on the device Management interface.

  5. Select Device Management Interface or Security Zones or Named Interfaces to communicate with the syslog server.

    • Device Management Interface: Send syslogs out of the Management interface. We recommend that you use this option when configuring syslog on Snort events.

      Note

      The Device Management Interface option does not support the Enable Secure Syslog option.

    • Security Zones or Named Interfaces: Select the interfaces from the list of Available Zones and click Add. You can also add virtual-router-aware interfaces.

      Important

      The threat defense data plane (Lina) syslog messages cannot be sent out through the diagnostic interface. Configure other interfaces or the Management interface (Br1/Management0) to send out the data plane syslog messages.

  6. Click OK.

Step 6

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

  • Deploy configuration changes.