Configure and Verify Syslog in Firepower Device Manager

Available Languages

Download Options

  • PDF     (1.3 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.3 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 18, 2024
Document ID:220231

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.


    Introduction

    This document describes how to configure Syslog within the Firepower Device Manager (FDM).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Firepower Threat Defense
    • Syslog Server running Syslog Software to collect data

    Configurations

    Step 1. From the Main Firepower Device Manager screen, select the Logging Settings under the System Settings in the lower right corner of the screen.

    Captura de Pantalla 2022-08-18 a la(s) 3.25.53 p.m.

                 

    Step 2. On the System Settings screen, select the Logging Settings in the left menu.

    Captura de Pantalla 2022-08-18 a la(s) 4.54.23 p.m.

    Step 3. Set the Data Logging toggle switch, select the + sign under Syslog Servers.

    Step 4. Select Add Syslog Server. Alternatively, you can create the Syslog Server object in Objects - Syslog Servers.

    Captura de Pantalla 2022-08-18 a la(s) 3.34.40 p.m.

    Step 5. Enter the IP address of your Syslog Server and port number. Select the radio button for Data Interface and click OK.

    Captura de Pantalla 2022-08-19 a la(s) 11.29.01 a.m.

    Step 6. Select the new Syslog server and click OK.

    Captura de Pantalla 2022-08-19 a la(s) 11.37.09 a.m.


    Step 7. Select the Severity level to filter with the all events radio button and select your desired logging level.

    Captura de Pantalla 2022-08-19 a la(s) 12.11.23 p.m.


    Step 8. Click Save at the bottom of the screen.

    samsala_4-1658337612881


    Step 9. Verify the settings were successful.

    samsala_5-1658337625577


    Step 10. Deploy the new settings.


    Captura de Pantalla 2022-08-18 a la(s) 5.03.15 p.m.

    And

    Captura de Pantalla 2022-08-18 a la(s) 5.16.49 p.m.

    OPTIONAL.

    Additionally, the Access Control Policy access control rules can be set to log into the Syslog server:


    Step 1. Click Policies at the top of the screen.

    Captura de Pantalla 2022-08-18 a la(s) 5.04.20 p.m.


    Step 2. Hover over the right side of the ACP rule to add logging and select the pencil icon.

    Captura de Pantalla 2022-08-18 a la(s) 5.05.32 p.m.


    Step 3. Select the Logging tab, Select the radio button for At End of Connection, Select the drop-down arrow under Select a Syslog Alert Configuration, select the Syslog Server and click OK.

    Captura de Pantalla 2022-08-19 a la(s) 11.39.32 a.m.


    Step 4. Deploy the configuration changes.

    Verify

    Step 1. After the task completes, verify the settings in the FTD CLI Clish Mode with the show running-config logging command.

    Captura de Pantalla 2022-08-19 a la(s) 11.43.59 a.m.

    Step 2. Navigate to the Syslog server and verify that the Syslog server application accepts the Syslog messages.

    Captura de Pantalla 2022-08-19 a la(s) 11.44.59 a.m.

    Troubleshoot

    Step 1. If the Syslog messages on the Syslog application produce any messages, perform a packet capture from the FTD CLI to check for packets. Enter the system support diagnostic-cli command at the clish prompt to change from Clish mode to Lina.

    Captura de Pantalla 2022-08-18 a la(s) 5.57.40 p.m.

    Step 2. Create one packet capture for your udp 514 (or tcp 1468 if you used tcp) 

    Step 3. Verify that the communication gets to the network interface card on the Syslog Server. Use Wireshark or another packet that captures the utility loaded. Double-click the interface in Wireshark for the Syslog Server to start packet capture.

    Captura de Pantalla 2022-08-19 a la(s) 11.58.36 a.m.

    Step 4. Set a display filter in the top bar for udp 514; type udp.port==514 and select the arrow to the right of the bar. From the output, verify that the packets can make it to the Syslog Server.

    Captura de Pantalla 2022-08-19 a la(s) 12.01.23 p.m.

    Step 5. If the Syslog Server Application does not show the data, troubleshoot the setting within the Syslog Server application. Make sure that the correct protocol is used, udp/tcp and the correct port, 514/1468.

    Related Information

    Revision History

    Revision Publish Date Comments
    3.0
    18-Apr-2024
    Recertification
    1.0
    15-Feb-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Sam Salazar
      Cisco Technical Consulting Engineer
    • Eder Pacheco
      Cisco Escalation Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco