Versions Compared

Old Version 3

changes.mady.by.user Customer Success & Engineering

Saved on

compared with

New Version Current

changes.mady.by.user Customer Success & Engineering

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are certain configuration which are applicable for both Local and External Logging. This section deals with the mandatory and optional parameters which can be configured for syslog.

Logging Setup

Logging setup options are applicable for local and external logging. In order to configure logging setup, choose Devices>>Platform setting.

Choose syslog>>Logging Setup

Basic Logging Setup

  • Enable Logging: Check the Enable Logging checkbox in order to enable logging. This is a mandatory option.

  • Enable logging on the failover standby unit: Check the Enable logging on the failover standby unit checkbox in order to enable logging on the standby FTD which is a part of an FTD high availability cluster.

  • Send syslog in EMBLEM format: Check the Send syslog in Emblem format checkbox in order to enable the format of syslog as EMBLEM format is used primarily for the CiscoWorks Resources Manager Essential(RME) syslog analyzer. This format matches the Cisco IOS Software Syslog format produced by the routers and the switches. It is available only to UDP Syslog servers.

  • Send debug messages as syslogs: Check the Send debug messages as syslogs checkbox in order to send the debug logs as Syslog messages to the Syslog server.

  • Memory size of the internal Buffer: Enter the internal memory buffer size where FTD can save the log data. The log data is rotated if its buffer limit is reached.

FTP Server Information(Optional)

Specify FTP server details if you want to send the log data to FTP server before it overwrites the internal buffer.

  • FTP Server Buffer Wrap: Check the FTP Server Buffer Wrap checkbox in order to send the buffer log data to the FTP server.

  • IP address: Enter the IP address of the FTP server.

  • Username: Enter the username of the FTP server.

  • Path: Enter the directory path of the FTP server.

  • Password: Enter the password of the FTP server.

  • Confirm: Enter the same password again.

Flash Size(Optional)

Specify the flash size if you want to save the log data to flash once the internal buffer is full.

  • Flash: Check the Flash checkbox in order to send the log data to the internal flash.

  • Maximum Flash to be used by Logging(KB): Enter the maximum size in KB of flash memory which can be used for logging.

  • Minimum free Space to be preserved(KB): Enter the minimum size in KB of the flash memory which needs to be preserved.

...

Click Save in order to save the platform setting. Choose the Deploy option, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment of the platform setting.

Configure Event Lists

The Configure Event Lists option allows you to create/edit an event list and specify which log data to include in the event list filter. Event Lists can be used when you configure Logging Filters under Logging destinations.

The system allows two options to use the functionality of custom event lists.

  • Class and Severity

  • Message ID

In order to configure custom event lists, choose Device > Platform Setting > Threat Defense Policy > Syslog > Event List and click Add. You will see these options:

  • Name: Enter the name of the event list.

  • Severity/ Event Class: In the Severity/ Event Class section, click Add.

  • Event Class: Choose the event class from the drop-down list for the type of log data which you want. An Event class defines a set of Syslog rules that represent the same features. For example, there is an event class for the session which includes all the Syslogs that relate to the session.

  • Syslog Severity: Choose the severity from the drop-down list for the chosen Event Class. The severity can range from 0 (emergency) to 7 (debugging).

  • Message ID: If you are interested in specific log data related to a message ID,  then click Add in order to put a filter based upon the message ID.

  • Message IDs: Specify the message ID as individual/ range format.

...

Click OK in order to save the configuration.

Click Save in order to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment of the platform setting.

Rate Limiting Syslog

The Rate limit option defines a number of messages which can be sent to all configured destinations and defines the severity of message to which you want to assign rate limits.

In order to configure custom event lists, choose Device > Platform Setting > Threat Defense Policy > Syslog > Rate Limit. You have two options based on which you can specify the rate limit:

  • Logging level

  • Syslog levels

In order to enable the logging level based rate limit, choose Logging Level and click Add.

  • Logging Level: From the Logging Level drop-down list, choose the logging level for which you want to perform the rate limiting.

  • Number of Messages: Enter the maximum number of syslog messages to be received within the specified interval.

  • Interval(Second): Based on the parameter Number of Messages configured previously, enter the time interval in which a fixed set of Syslog messages can be received.

The rate of Syslog is Number of Messages/Interval.

...

Click OK in order to save the logging level configuration.

In order to enable the logging level based rate limit, choose Logging Level and click Add.

  • Syslog ID: Syslog IDs are used to uniquely identify the Syslog messages. From the Syslog ID drop-down list, choose the Syslog ID.

  • Number of Messages: Enter the maximum number of syslog messages to be received within the specified interval.

  • Interval(Second): Based on the parameter Number of Messages configured previously, enter the time interval in which a fixed set of Syslog messages can be received.

The rate of Syslog is Number of Messages/Interval.

...

Click OK in order to save the Syslog level configuration.

Click Save in order to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment of the platform setting.

Configure Syslog Settings

Syslog settings allow configuration of the Facility values to be included in the Syslog messages. You can also include the timestamp in log messages and other Syslog server-specific parameters.

In order to configure custom event lists, choose Device > Platform Setting > Threat Defense Policy > Syslog > Syslog Settings.

  • Facility: A facility code is used to specify the type of program that is logging the message. Messages with different facilities can be handled differently. From the Facility drop-down list, choose the facility value.

  • Enable Timestamp on each Syslog Message: Check the Enable Timestamp on each Syslog Message checkbox in order to include the time stamp in Syslog messages.

  • Enable Syslog Device ID: Check the Enable Syslog Device ID checkbox in order to include a device ID in non-EMBLEM-format Syslog messages.

  • Netflow Equivalent Syslogs: Check the Netflow Equivalent Syslogs checkbox in order to send NetFlow equivalent Syslogs. It can affect the appliance performance.

  • Add Specific Syslog ID: In order to specify the additional Syslog ID, click Add and specify the Syslog ID/ Logging Level checkbox.

...

Click Save in order to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment of the platform setting.

Configure Local Logging

The Logging Destination section can be used in order to configure logging to the specific destinations.

The available internal logging destinations are:

  • Internal Buffer: Logs to the internal logging buffer (logging buffered)

  • Console: Sends logs to the console (logging console)

  • SSH sessions: Logs Syslog to SSH sessions (terminal monitor)

There are three steps to configure Local Logging.

Step 1. Choose Device > Platform Setting > Threat Defense Policy > Syslog >Logging Destinations.

...

Step 2. Click Add in orderto add a Logging Filter for a specific logging destination.

Logging Destination: Choose the required logging destination from the Logging Destination drop-down list as Internal Buffer, Console, or SSH sessions.

Event Class: From the Event Class drop-down list, choose an Event class. As described previously, Event Classes are a set of Syslogs that represent the same features. Event classes can be selected in these ways:

  • Filter on Severity: Event Classes filters based on the severity of the Syslogs.

  • User Event List: Administrators can create specific Event Lists (previously described) with their own custom event classes and reference them in this section.

  • Disable Logging: Use this option in order to disable logging for the chosen Logging Destination and Logging Level.

Logging Level: Choose the logging level from the drop-down list. The logging level range is from 0 (Emergencies) to 7 (debugging)

...

Step 3: In order to add a separate Event class to this Logging filter, click Add.

Event Class: Choose the Event Class from the Event Class drop-down list.

Syslog Severity: Choose the Syslog severity from the Syslog Severity drop-down list.

...

Click OK once the Filter is configured to add the Filter for a specific logging destination.

Click Save in order to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment the platform setting.

Configure the External Logging

In order to configure external logging, choose Device > Platform Setting > Threat Defense Policy > Syslog > Logging Destinations.

FTD supports these types of external logging.

  • Syslog Server: Sends logs to the remote Syslog server.

  • SNMP trap: Sends the logs out as an SNMP trap.

  • E-Mail: Sends the logs via e-mail with a preconfigured mail relay server.

The configuration for the external logging and the internal logging are the same. The selection of Logging destinations decides the type of logging that is implemented. It is possible to configure Event Classes based on Custom Event lists to the remote server.

Configure Remote Syslog Server

Syslog servers can be configured to analyze and store logs remotely from the FTD.

There are three steps to configure remote Syslog servers.

Step 1. Choose Device > Platform Setting > Threat Defense Policy > Syslog > Syslog Servers.

Step 2. Configure the Syslog server related parameter.

  • Allow user traffic to pass when TCP syslog server is down: If a TCP Syslog server has been deployed in the network and it is not reachable, then the network traffic through the ASA is denied. This is applicable only when the transport protocol between the ASA and the Syslog server is TCP. Check the Allow user traffic to pass when TCP syslog server is down checkbox in order to allow traffic to pass through the interface when the Syslog server is down.

  • Message Queue Size: The message queue size is the number of messages that queues up in the FTD when the remote Syslog server is busy and does not accept any log messages.The default is 512 messages and the minimum is 1 message. If 0 is specified in this option, the queue size is considered to be unlimited.

...

Step 3. In order to add remote Syslog servers, click Add.

IP Address: From the IP Address drop-down list, choose a network object which has the Syslog servers listed. If you have not created a network object  then click the plus (+) icon in order to create a new object.

Protocol: Click either the TCP or UDP radio button for Syslog communication.

Port: Enter the Syslog server port number. By default, it is 514.

Log Messages in Cisco EMBLEM format(UDP only): Click the Log Messages in Cisco EMBLEM format(UDP only) checkbox in order to enable this option if it is required to log messages in the Cisco EMBLEM format. This is applicable for UDP-based Syslog only.

Available Zones: Enter the security zones over which the Syslog server is reachable and move it to the Selected Zones/ Interfaces Column.

...

Click OK and Save in order to save the configuration.

Click Save in order to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment of the platform setting.

Configure E-mail Setup for Logging

FTD allows you to send the Syslog to a specific e-mail address. E-mail can be used as a logging destination only if an e-mail relay server has already been configured.

There are two steps to configure e-mail settings for the Syslogs.

Step 1. Choose Device > Platform Setting > Threat Defense Policy > Syslog >E-mail Setup.

Source E-Mail Address: Enter the source e-mail address which will appear on all the e-mails sent out from the FTD which contain the Syslogs.

...

Step 2. In order to configure the destination e-mail address and Syslog severity, click Add.

Destination Email Address: Enter the destination e-mail address wherein Syslog messages will be sent.

Syslog Severity: Choose the Syslog severity from the Syslog Severity drop-down list.

...

Click OK in order to save the configuration.

Click Save in order to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment of the platform setting.

Verification

Verification can be done either from CCE Server or from UI

Using CCE

Run the command : sudo tcpdump -i any port 514 and host <IP address>

Using UI

  • Go on UI >> Systems

...

  • >>Logs and Flows collection Status

...

  • Inside Source device IP the IP will reflect.