About Syslog

System logging is a method of collecting messages from devices to a server running a syslog daemon. Logging to a central syslog server helps in aggregation of logs and alerts. Cisco devices can send their log messages to a UNIX-style syslog service. A syslog service accepts messages and stores them in files, or prints them according to a simple configuration file. This form of logging provides protected long-term storage for logs. Logs are useful both in routine troubleshooting and in incident handling.

System Logs for Firepower Threat Defense

Logs Related To

Details

Configure In

Device and system health, network configuration

This syslog configuration generates messages for features running on the data plane, that is, features that are defined in the CLI configuration that you can view with the show running-config command. This includes features such as routing, VPN, data interfaces, DHCP server, NAT, and so forth. Data plane syslog messages are numbered, and they are the same as those generated by devices running ASA software. However, Firepower Threat Defense does not necessarily generate every message type that is available for ASA Software. For information on these messages, see Cisco Firepower Threat Defense Syslog Messages at https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html. This configuration is explained in the following topics.

Platform Settings

Security events

This syslog configuration generates alerts for file and malware, connection, Security Intelligence, and intrusion events. For details, see About Sending Syslog Messages for Security Events and subtopics.

Platform Settings and the Logging in an access control policy

(All devices)

Policies, rules, and events

This syslog configuration generates alerts for access control rules, intrusion rules, and other advanced services as described in Configurations Supporting Alert Responses. These messages are not numbered. For information on configuring this type of syslog, see Creating a Syslog Alert Response.

Alert Responses and the Logging in an access control policy

You can configure more than one syslog server, and control the messages and events sent to each server. You can also configure different destinations, such as console, email, internal buffer, and so forth.