Best Practices for Configuring Security Event Syslog Messaging

If you will use syslog or store events externally, avoid special characters in object names such as policy and rule names. Object names should not contain special characters, such as commas, that the receiving application may use as separators.

Firepower Threat Defense version 6.3 or later

1. Configure FTD platform settings (Devices > Platform Settings > Threat Defense Settings > Syslog.)

   See also FTD Platform Settings That Apply to Security Event Syslog Messages.

2. In your access control policy Logging tab, opt to use the FTD platform settings.

3. (For intrusion events) Configure intrusion policies to use the settings in your access control policy Logging tab. (This is the default.)

Overriding any of these settings is not recommended.

For essential details, see Send Security Event Syslog Messages from FTD Devices.

All other devices

1. Create an alert response.

2. Configure access control policy Logging to use the alert response.

3. (For intrusion events) Configure syslog settings in intrusion policies.

For complete details, see Send Security Event Syslog Messages from Classic Devices.