Configure Syslog Settings

You can configure general syslog settings to set the facility code to be included in syslog messages that are sent to syslog servers, specify whether a timestamp is included in each message, specify the device ID to include in messages, view and modify the severity levels for messages, and disable the generation of specific messages.

If you are configuring devices to send syslog messages about security events (such as connection and intrusion events), some settings on this page do not apply to these messages. See Threat Defense Platform Settings That Apply to Security Event Syslog Messages in the Cisco Secure Firewall Management Center Administration Guide.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select Syslog > Syslog Settings.

Step 3

Select a system log facility for syslog servers to use as a basis to file messages in the Facility drop-down list.

The default is LOCAL4(20), which is what most UNIX systems expect. However, because your network devices share available facilities, you might need to change this value for system logs.

Facility values are not typically relevant for security events.

Step 4

Select the Enable timestamp on each syslog message check box to include the date and time a message was generated in the syslog message.

Step 5

Select the Timestamp Format for the syslog message:

  • The Legacy (MMM dd yyyy HH:mm:ss) format is the default format for syslog messages.

    When this timestamp format is selected, the messages do not indicate the time zone, which is always UTC.

  • RFC 5424 (yyyy-MM-ddTHH:mm:ssZ) uses the ISO 8601 timestamp format as specified in the RFC 5424 syslog format.

    If you select the RFC 5424 format, a “Z” is appended to the end of each timestamp to indicate that the timestamp uses the UTC time zone.

Step 6

If you want to add a device identifier to syslog messages (which is placed at the beginning of the message), check the Enable Syslog Device ID check box and then select the type of ID.

  • Interface—To use the IP address of the selected interface, regardless of the interface through which the appliance sends the message. Select the security zone that identifies the interface. The zone must map to a single interface.
  • User Defined ID—To use a text string (up to 16 characters) of your choice.
  • Host Name—To use the hostname of the device.

Step 7

Use the Syslog Message table to alter the default settings for specific syslog messages. You need to configure rules in this table only if you want to change the default settings. You can change the severity assigned to a message, or you can disable the generation of a message.

By default, Netflow is enabled and the entries are shown in the table.

  1. To suppress syslog messages that are redundant because of Netflow, select Netflow Equivalent Syslogs.

    This adds the messages to the table as suppressed messages.

    Note

    If any of these syslog equivalents are already in the table, your existing rules are not overwritten.

  2. To add a rule, click Add.

  3. You select the message number whose configuration you want to change, from the Syslog ID drop down list and then select the new severity level from the Logging Level drop down list, or select Suppressed to disable the generation of the message. Typically, you would not change the severity level and disable the message, but you can make changes to both fields if desired.

  4. Click OK to add the rule to the table.

Step 8

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

  • Deploy configuration changes.