Configure Logging Settings

This will send data logging events for any type of syslog message, with your minimum chosen severity level, to the syslog server.

Note

Cisco Defense Orchestrator doesn't currently support creating a Custom Logging Filter for Data Logging. For finer control of which messages you send to the syslog server, we recommend you define this setting in an FDM-managed device. To do so, log on to an FDM-managed device, and navigate System Settings > Logging Settings.

Tip

Do not enable data logging if you are a Cisco Security Analytics and Logging customer unless you forward the data logging events to a syslog server other than the Secure Event Connector. Data events (diagnostic events) are not traffic events. Sending the data events to a different syslog server removes the burden on the SEC from analyzing and filtering them out.

File and malware events are generated at the same severity level. The minimum level of event severity you select will be assigned to all file and malware events.

File and malware events are reported when a file or malware policy in any access control rule has been triggered. This is not the same as a connection event. Note that the syslog settings for file and malware events are relevant only if you apply file or malware policies, which require the and Malware licenses.

For Cisco Security Analytics and Logging subscribers:

• If you send events to the Cisco cloud through a Secure Event Connector (SEC), specify an SEC as your syslog server. You will then be able to see these events alongside file policy and malware policy connection events.

• If you send events directly to the Cisco cloud without an SEC, you do not need to enable this setting. File and malware events are sent if the access control rule is configured to send connection events.

Intrusion events are reported when an intrusion policy in any access control rule has been triggered. This is not the same as a connection event. Note that the syslog settings for intrusion events are relevant only if you apply intrusion policies, which require the license.

For Cisco Security Analytics and Logging subscribers:

• If you send events to the Cisco cloud through a Secure Event Connector (SEC), specify an SEC as your syslog server. You will then be able to see these events alongside file policy and malware policy connection events.

• If you send events directly to the Cisco cloud without an SEC, you do not need to enable this setting. Intrusion events are sent to the Cisco cloud if the access control rule is configured to send connection events.

You will see these messages when you log into the CLI on the console port of your FDM-managed device. You can also see these logs in an SSH session to other FDM-managed device interfaces (including the management interface) by using the show console-output command. In addition, you can see these messages in real time in the diagnostic CLI by entering system support diagnostic-cli from the main CLI.