Configure syslog alerting for intrusion events
Configure syslog alerting in an intrusion policy to send intrusion events to the specified syslog destinations.
After you enable syslog alerting in an intrusion policy, the system sends all intrusion events to the syslog, either on the managed device itself or to external hosts. If you specify an external host, syslog alerts are sent from the managed device.
Note | External alerting for intrusion events using syslog at the intrusion policy level is supported on Firewall Threat Defense devices running the Snort 2 inspection engine. For devices with Snort 3, syslog destination is inherited from the logging settings in the access control policy. |
Procedure
Step 1 | Choose and click Snort 2 Version. |
Step 2 | In the intrusion policy editor's navigation pane, click Advanced Settings. |
Step 3 | Enable Syslog Alerting, then click Edit next to Syslog Alerting. A message appears at the bottom of the page, identifying the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings. |
Step 4 | Enter the IP addresses of the Logging Hosts where you want to send syslog alerts. If you leave this field blank, the details of the logging hosts will be taken from logging settings in the associated access control policy. |
Step 5 | Choose the Facility and Severity levels as described in Facility and severity values for intrusion syslog alerts. |
Step 6 | To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes. If you leave the policy editor without committing, unsaved changes are discarded when you edit a different policy. |
What to do next
-
Deploy configuration changes.