Configure a Syslog Server

Select Devices > Platform Settings and create or edit the FTD policy.

Select Syslog > Syslog Server.

Check the Allow user traffic to pass when TCP syslog server is down check box, to allow traffic if any syslog server that is using the TCP protocol is down.

Enter a size of the queue for storing syslog messages on the security appliance when syslog server is busy in the Message queue size (messages) field. The minimum is 1 message. The default is 512. Specify 0 to allow an unlimited number of messages to be queued (subject to available block memory).

Click Add to add a new syslog server.

1. In the IP Address drop-down list, select a network host object that contains the IP address of the syslog server.

2. Choose the protocol (either TCP or UDP) and enter the port number for communications between the Firepower Threat Defense device and the syslog server.

   UDP is faster and uses less resources on the device than TCP.

   The default ports are 514 for UDP, 1470 for TCP. Valid non-default port values for either protocol are 1025 through 65535.

3. Check the Log messages in Cisco EMBLEM format (UDP only) check box to specify whether to log messages in Cisco EMBLEM format (available only if UDP is selected as the protocol).

   Note	Syslog messages in RFC5424 format, typically displays the priority value (PRI). However, in CDO, only when you enable logging in Cisco EMBLEM format, the PRI value in the syslog messages of the managed FTD is displayed. For more information on PRI, see RFC5424.

4. Check the Enable Secure Syslog check box to encrypt the connection between the device and server using SSL/TLS over TCP.

   Note

   You must select TCP as the protocol to use this option. You must also upload the certificate required to communicate with the syslog server on the Devices > Certificates page. Finally, upload the certificate from the Firepower Threat Defense device to the syslog server to complete the secure relationship and allow it to decrypt the traffic. The Enable Secure Syslog option is not supported on the device Management interface.

5. Add the zones that contain the interfaces used to communicate with the syslog server. For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interface list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones.

   Note

   If the syslog server is on the network attached to the physical Management interface, you must type the name of that interface into the Interface Name field below the Selected Security Zones list and click Add. You must also configure this name (if not already configured), and an IP address, for the Diagnostic interface (edit the device from the Device Management page and select the Interfaces tab). For more information about the management/diagnostic interface, see Diagnostic Interface (Legacy).

6. Select Device Management Interface or Security Zones or Named Interfaces to communicate with the syslog server.

   • Device Management Interface: Send syslogs out of the Management interface. We recommend that you use this option when configuring syslog on Snort events.

     Note	The Device Management Interface option does not support the Enable Secure Syslog option.

   • Security Zones or Named Interfaces: Select the interfaces from the list of Available Zones and click Add. If you type in the diagnostic interface name, you must also configure an IP address for the Diagnostic interface (edit the device settings from the Device Management page and select the Interfaces tab). For more information about the management/diagnostic interface, see Diagnostic Interface (Legacy).

7. Click OK.

Click Save.