Enable Logging and Configure Basic Settings

Enable logging and configure the basic settings for the system to generate syslog messages for data plane events. You can also set up archiving on flash or an FTP server as a storage location when the local buffer becomes full. You can manipulate logging data after it is saved. For example, you could specify actions to be executed when certain types of syslog messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script.

The following procedure explains some of the basic syslog settings.

Tip

If you are configuring devices to send syslog messages about security events (such as connection and intrusion events), most threat defense platform settings do not apply to these messages. See Threat Defense Platform Settings That Apply to Security Event Syslog Messages.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select Syslog > Logging Setup.

Step 3

Enable logging and configure basic logging settings.

  • Enable Logging—Turns on the data plane system logging for the threat defense device.
  • Enable Logging on the Failover Standby Unit—Turns on logging for the standby for the threat defense device, if available.
  • Send syslogs in EMBLEM format—Enables EMBLEM format logging for every logging destination. If you enable EMBLEM, you must use the UDP protocol to publish syslog messages; EMBLEM is not compatible with TCP.
    Note

    Syslog messages in RFC5424 format, typically displays the priority value (PRI). However, in management center, if you want to display the PRI value in the syslog messages of the managed threat defense device, ensure to enable the EMBLEM format. For more information on PRI, see RFC5424.

  • Send debug messages as syslogs—Redirects all the debug trace output to the syslog. The syslog message does not appear in the console if this option is enabled. Therefore, to see debug messages, you must enable logging at the console and configure it as the destination for the debug syslog message number and logging level. The syslog message number used is 711001. The default logging level for this syslog is debug.
  • Memory Size of Internal Buffer—Specify the size of the internal buffer to which syslog messages are saved if the logging buffer is enabled. When the buffer fills up, it is overwritten. The default is 4096 bytes. The range is 4096 to 52428800.

Step 4

(Optional) Configure the syslog message logging to the CDO.

  1. Click the All Logs radio button to enable logging all the troubleshooting syslog messages corresponding to the selected severity level or click the VPN Logs radio button to enable logging only the VPN troubleshooting messages corresponding to the selected severity level.

  2. Choose the syslog severity level for the logging messages from the Logging Level drop-down list.

    • The logging level for All Logs is set to critical by default. You can choose to send syslog messages with severity levels critical, alerts, or emergencies to the management center.

    • The logging level for the VPN messages is set to errors by default.

      VPN troubleshooting syslogs can add excessive load on the management center. Hence, enable this option with caution. Also, when you configure a device with site-to-site or remote access VPN, it automatically enables sending VPN syslogs to the management center by default. We recommend that you limit the logging level to error and above to restrict the excessive flow of syslogs to the management center, especially in case of RAVPN, where multiple devices are involved.

    For information on the levels, see Severity Levels.

Step 5

(Optional) Configure an FTP server if you want to save log buffer contents to the server before the buffer is overwritten. Specify the FTP Server information.

  • FTP Server Buffer Wrap—To save the buffer contents to the FTP server before it is overwritten, check this box and enter the necessary destination information in the following fields. To remove the FTP configuration, deselect this option.
  • IP Address—Select the host network object that contains the IP address of the FTP server.
  • User Name—Enter the username to use when connecting to the FTP server.
  • Path—Enter the path, relative to the FTP root, where the buffer contents should be saved.
  • Password/ Confirm—Enter and confirm the password used to authenticate the username to the FTP server.

Step 6

(Optional) Specify Flash size if you want to save log buffer contents to flash before the buffer is overwritten.

  • Flash—To save the buffer contents to the flash memory before it is overwritten, check this box.
  • Maximum flash to be used by logging (KB)—Specify the maximum space to be used in the flash memory for logging (in kilobytes). The range is 4-8044176 kilobytes.
  • Minimum free space to be preserved (KB)—Specifies the minimum free space to be preserved in flash memory (in KB). The range is 0-8044176 kilobytes.

Step 7

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.