Configuring the Syslog Service on Cisco Firepower devices

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Step 1: Syslog server configuration

To configure a Syslog Server for traffic events, navigate to Configuration > ASA Firepower Configuration > Policies > Actions Alerts and click the Create Alert drop-down menu and choose option Create Syslog Alert. For web interfaces, navigate to Policies > Actions Alerts. Enter the values for the Syslog server.

Name: Specify the name which uniquely identifies the Syslog server.

Host: Specify the IP address/hostname of Syslog server.

Port: Specify the port number of Syslog server.

Facility: Select any facility that is configured on your Syslog server.

Severity: Select any Severity that is configured on your Syslog server.

Tag: Specify tag name that you want to appear with the Syslog message.

Step 2: Enable external logging for Connection Events

Connection Events are generated when traffic hits an access rule with logging enabled. In order to enable the external logging for connection events, navigate to ASDM Configuration > ASA Firepower Configuration > Policies > Access Control Policy. For web interfaces, navigate to Policies > Access Control Policy. Edit the access rule and navigate to logging option.

Select the logging option either log at Beginning and End of Connection or log at End of Connection. Navigate to Send Connection Events to option and specify where to send events.

In order to send events to an external Syslog server, select Syslog, and then select a Syslog alert response from the drop-down list. Optionally, you can add a Syslog alert response by clicking the add icon.

Step 3: Enable external logging for Intrusion Events

Intrusion events are generated when a signature (snort rules) matches some malicious traffic. In order to enable the external logging for intrusion events, navigate to ASDM Configuration > ASA Firepower Configuration > Policies > Intrusion Policy > Intrusion Policy. For web interfaces, navigate to Policies > Intrusion Policy > Intrusion Policy. Either create a new Intrusion policy or edit an existing one. Navigate to Advanced Setting > External Responses.

In order to send intrusion events to an external Syslog server, select option Enabled in Syslog Alerting then click the Edit option.
Logging Host: Specify the IP address/hostname of Syslog server.
Facility: Select any facility that is configured on your Syslog server.
Severity: Select any Severity that is configured on your Syslog server.

Note: From Version 6.3 and above, make sure to enable timestamping in the RFC 5242 format in Firepower Threat Defense for collecting syslogs along with their timestamps.

Help Document

Configuring the Syslog Service on Cisco Firepower devices

Step 1: Syslog server configuration

Step 2: Enable external logging for Connection Events

Step 3: Enable external logging for Intrusion Events

Don't see what you're looking for?

Visit our community

Request additional resources

Need implementation assistance?