Stream Audit Logs to Syslog

When this feature is enabled, audit log records appear in the syslog in the following format :

Date Time Host [Tag] Sender: User_Name@User_IP, Subsystem, Action

Where the local date, time, and originating hostname precede the bracketed optional tag, and the sending device name precedes the audit log message.

For example, if you specify a tag of FMC-AUDIT-LOG for audit log messages from your management center, a sample audit log message from your CDO could appear as follows:

Mar 01 14:45:24 localhost [FMC-AUDIT-LOG] Dev-MC7000: admin@10.1.1.2, Operations > Monitoring, Page View

If you specify a severity and facility, these values do not appear in syslog messages; instead, they tell the system that receives the syslog messages how to categorize them.

Before you begin

Make sure the CDO can communicate with the syslog server. When you save your configuration, the system uses ICMP/ARP and TCP SYN packets to verify that the syslog server is reachable. Then, the system uses port 514/UDP to stream audit logs. If you secure the channel, the system uses 6514/TCP.

Procedure

Step 1

Choose System (system gear icon) > Configuration.

Step 2

Click Audit Log.

Step 3

Choose Enabled from the Send Audit Log to Syslog drop-down menu.

Step 4

The following fields are applicable only for audit logs sent to syslog:

Option

Description

Host

The IP address or the fully qualified name of the syslog server to which you will send audit logs. You can add a maximum of five syslog hosts, seperated by commas.

Note

You can specify multiple syslog hosts, only when TLS is disabled for the Audit Server Certificate.

Facility

The subsystem that creates the message.

Choose a facility described in Syslog Alert Facilities. For example, choose AUDIT.

Severity

The severity of the message.

Choose a severity described in Syslog Severity Levels.

Tag

An optional tag to include in audit log syslog messages.

Best practice: Enter a value in this field to easily differentiate audit log messages from other, similar syslog messages such as health alerts.

For example, if you want all audit log records sent to the syslog to be labeled with FMC-AUDIT-LOG, enter FMC-AUDIT-LOG in the field.

Step 5

(Optional) To test whether the IP address of the syslog servers are valid, click Test Syslog Server.

The system sends the following packets to verify whether the syslog server is reachable:

  1. ICMP echo request

  2. TCP SYN on 443 and 80 ports

  3. ICMP time stamp query

  4. TCP SYN on random ports

Note

If the CDO and syslog server are in the same subnet, ARP is used instead of ICMP.

The system displays the result for each server.
Step 6

Click Save.