Send Cloud-delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog

This procedure provides information about the configuration for sending syslog messages for security events (connection, security intelligence, intrusion, file, and malware events) from devices managed by Security Cloud Control.

Before you begin

  • Configure policies to generate security events, and verify that the events you expect to see are displayed in the applicable tables under the Events & Logs menu.

  • Gather information relating to the syslog server IP address, port, and protocol (UDP or TCP).

  • Ensure that your devices can reach the syslog server.

Procedure


Step 1

In the left pane, click Administration > Firewall Management Center to open the Services page.

Step 2

Click and select Cloud-Delivered FMC and then click Configuration.

Step 3

Configure the syslog settings for your threat defense device:

  1. Click Devices > Platform Settings and edit the platform settings policy that is associated with your threat defense device.

  2. In the left-side navigation pane, click Syslog and configure the syslog settings as follows:

    Click this UI Element...

    To Do the Following:

    Logging Setup

    Enable logging, specify FTP server settings, and the Flash usage.

    Logging Destination

    Enable logging to specific destinations and to specify filtering by message severity level, event class, or by a custom event list.

    E-mail Setup

    Specify the email address that is used as the source address for syslog messages that are sent as emails.

    Events Lists

    Define a custom event list that includes an event class, a severity level, and an event ID.

    Rate Limit

    Specify the volume of messages being sent to all the configured destinations and define the message severity level to which you want to assign the rate limits.

    Syslog Settings

    Specify the logging facility, enable the inclusion of a time stamp, and enable other settings to set up a server as a syslog destination.

    Syslog Servers

    Specify the IP address, protocol that is used, format, and security zone for the syslog server that is designated as a logging destination.

  3. Click Save.

Step 4

Configure the general logging settings for the access control policy (including file and malware logging):

  1. Click Policies > Access Control and then edit the access control policy that is associated with your threat defense device.

  2. Click More and then choose Logging. Configure the general logging settings for the access control policy (including file and malware logging) as follows:

    Click this UI Element...

    To Do the Following:

    Send using specific syslog alert

    Select a syslog alert from the list of existing predefined alerts or add one by specifying the name, logging host, port, facility, and severity.

    Use the syslog settings configured in the FTD Platform Settings policy deployed on the device

    Unify the syslog configuration by configuring it in Platform Settings and reuse the settings in the access control policy. The selected severity is applied to all the connection and intrusion events. The default severity is ALERT.

    Send Syslog messages for IPS events

    Send events as syslog messages. The default syslog settings are used unless you override them.

    Send Syslog messages for File and Malware events

    Send file and malware events as syslog messages. The default syslog settings are used unless you override them.

  3. Click Save.

Step 5

Enable logging for security intelligence events for the access control policy:

  1. In the same access control policy, click the Security Intelligence tab.

  2. Click the logging icon and enable security intelligence logging using the following criteria:

    • By Domain Name—Click the logging icon next to the DNS Policy drop-down list.

    • By IP address—Click the logging icon next to Networks.

    • By URL—Click the logging icon next to URLs.

  3. Click Save.

Step 6

Enable syslog logging for each rule in the access control policy:

  1. In the same access control policy, click the Access Control tab.

  2. Click a rule to edit.

  3. Click the Logging tab in the rule.

  4. Check the Log at beginning of connection and Log at end of connection check boxes.

  5. If you want to log file events, check the Log Files check box.

  6. Check the Syslog Server check box.

  7. Verify that the rule is Using default syslog configuration in Access Control Logging.

  8. Click Confirm.

  9. Click Apply to save the rule.

  10. Repeat steps 7.a through 7.h for each rule in the policy and click Save to save the policy.


What to do next

If you have made all the required changes, deploy your changes to the managed devices.