Send Security Event Syslog Messages from FTD Devices

This procedure documents the best practice configuration for sending syslog messages for security events (connection, Security Intelligence, intrusion, file, and malware events) from FTD devices.

Note

Many FTD syslog settings are not applicable to security events. Configure only the options described in this procedure.

Before you begin

  • In Cisco Defense Orchestrator, configure policies to generate security events and verify that the events you expect to see appear in the applicable tables under the Analysis menu.

  • Gather the syslog server IP address, port, and protocol (UDP or TCP):

  • Ensure that your devices can reach the syslog server(s).

  • Confirm that the syslog server(s) can accept remote messages.

  • For important information about connection logging, see the chapter on Connection Logging.

Procedure

Step 1

Configure syslog settings for your FTD device:

  1. Click Devices > Platform Settings.

  2. Edit the platform settings policy associated with your FTD device.

  3. In the left navigation pane, click Syslog.

  4. Click Syslog Servers and click Add to enter server, protocol, interface, and related information.

    If you have questions about options on this page, see Configure a Syslog Server.

  5. Click Syslog Settings and configure the following settings:

    • Enable Timestamp on Syslog Messages

    • Timestamp Format

    • Enable Syslog Device ID

  6. Click Logging Setup.

  7. Select whether or not to Send syslogs in EMBLEM format.

  8. Select Enable Logging.

  9. Click Event Lists, then Add, then Message ID, Add, then and enter the message IDs for the types of events to send:

    • All Snort events: 430001-430005

    • Intrusion events: 430001

    • Connection events (Beginning of connection): 430002

    • Connection events (End of connection): 430003

    • File events: 430004

    • Malware events: 430005

  10. Click the Logging Destinations tab.

  11. Add a logging destination that specifies Syslog Servers and for the event class, select the event list that you just configured.

  12. Save your settings.

Step 2

Configure general logging settings for the access control policy (including file and malware logging):

  1. Click Policies > Access Control.

  2. Edit the applicable access control policy.

  3. Click Logging.

  4. FTD 6.3 and later: Select Use the syslog settings configured in the Threat Defense Platform Settings policy deployed on the device.

  5. (Optional) Select a Syslog Severity.

  6. If you will send file and malware events, select Send Syslog messages for File and Malware events.

  7. Click Save.

Step 3

Enable logging for Security Intelligence events for the access control policy:

  1. In the same access control policy, click the Security Intelligence tab.

  2. In each of the following locations, click Logging (logging icon) and enable beginning and end of connections and Syslog Server:

    • Beside DNS Policy.

    • In the Block List box, for Networks and for URLs.

  3. Click Save.

Step 4

Enable syslog logging for each rule in the access control policy:

  1. In the same access control policy, click the Rules tab.

  2. Click a rule to edit.

  3. Click the Logging tab in the rule.

  4. Choose whether to log the beginning or end of connections, or both.

    (Connection logging generates a lot of data; logging both beginning and end generates roughly double that much data. Not every connection can be logged both at beginning and end.)

  5. If you will log file events, select Log Files.

  6. Enable Syslog Server.

  7. Verify that the rule is "Using default syslog configuration in Access Control Logging."

  8. Click Add.

  9. Repeat for each rule in the policy.

Step 5

If you will send intrusion events:

  1. Navigate to the intrusion policy associated with your access control policy.

  2. In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.

  3. If necessary, click Edit

  4. Enter options:

    Option

    Value

    Logging Host

    Unless you will send intrusion event syslog messages to a different syslog server than you will send other syslog messages, leave this blank to use the settings you have configured above.

    Facility

    This setting is applicable only if you specify a Logging Host on this page.

    For descriptions, see Syslog Alert Facilities.

    Severity

    This setting is applicable only if you specify a Logging Host on this page.

    For descriptions, see Syslog Severity Levels.

  5. Click Back.

  6. Click Policy Information in the left navigation pane.

  7. Click Commit Changes.

What to do next