On This Page
Configuring a Cisco Firewall Management Center (FMC) to Send Syslogs
If you want to collect usage from Cisco Firewall Threat Defense (FTD) devices managed by an FMC, you can configure a policy in the FMC to send syslogs to SecureTrack. This configuration will apply to all the policy's rules that send syslogs to SecureTrack.
Configuring the FMC comprises the following stages:
- Enable Syslog in FMC (Accountability)
- Enable a Syslog Device ID on the FTDs (Data Usage)
- Create a new Syslog alert
- Edit an FMC policy to send syslogs using the new alert
Enable Syslog in FMC (Accountability)
- In the FMC, navigate to the System > Configuration tab.
-
Select Audit Log.
-
Configure the following parameters:
-
Set Send Audit Log to Syslog to Enabled.
-
In the Host field, enter the appropriate TOS Aurora destination described in Sending Additional Information via Syslog.
-
Set Facility to LOCAL7.
-
Set Severity to NOTICE.
-
In the Tag field, enter the Log Tag defined in the Syslog Authentication window (Stage 3 of 5) when the device was configured.
This tag will be used in SecureTrack under “Syslog Authentication” as the Tag ID. The tag must be unique per FMC device.
-
- Click Save.
Enable a Syslog Device ID on the FTDs (Data Usage)
After the FMC device is configured, in SecureTrack, you can configure the device to collect usage data.
-
In the FMC, navigate to the Devices > Platform Settings tab.
-
To create a new policy: (If you are configuring an existing policy, skip to step 3)
-
Click New Policy > Threat Defense Settings.
-
In the Name field, enter a name for the new policy.
-
Select an FTD device to add to the policy, and click Add to Policy.
-
Click Save.
The New Policy dialog box appears.
-
-
In the row of the policy you want to configure, click the Edit() button.
-
In the navigation pane, select Syslog.
-
Select the Syslog Settings tab.
- Select the Enable Syslog Device ID option.
- From the drop-down menu, select User Defined ID.
- Enter an ID for the device syslogs. This ID will be used when configuring the device in SecureTrack.
-
In the FMC for the required domain, navigate to the Policies > Access Control > RULE_IN_THE_POLICY > Logging tab.
- Select one of these options:
- Log at Beginning of Connection
- Log at End of Connection
- Select Syslog Server.
- Select one of these options:
-
Click Save.
Create a new Syslog alert
-
In the FMC, navigate to Policies > Actions > Alerts.
-
Click Create Alert > Create Syslog Alert.
-
In the Name field, enter a name for the new alert.
-
In the Host field, enter the appropriate TOS Aurora destination described in Sending Additional Information via Syslog.
-
In the Facility field, select Syslog.
-
Click Save.
-
In the Enable column, enable the alert.
The Edit Syslog Configuration dialog box appears.
Edit an FMC policy to send syslogs using the new alert
-
In the FMC, navigate to Policies.
-
In the row of the policy which you want to use to send syslog alerts to SecureTrack, click the Edit () button.
-
Go to the Logging tab.
-
Select Send using specific syslog alert.
-
In the Syslog alert field, select the new syslog alert you created.
-
Click Save.
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague