Configuring a Cisco Firewall Management Center (FMC) to Send Syslogs

If you want to collect usage from Cisco Firewall Threat Defense (FTD) devices managed by an FMC, you can configure a policy in the FMC to send syslogs to SecureTrack. This configuration will apply to all the policy's rules that send syslogs to SecureTrack.

Configuring the FMC comprises the following stages:

  1. Enable Syslog in FMC (Accountability)
  2. Enable a Syslog Device ID on the FTDs (Data Usage)
  3. Create a new Syslog alert
  4. Edit an FMC policy to send syslogs using the new alert

Enable Syslog in FMC (Accountability)

  1. In the FMC, navigate to the System > Configuration tab.
  2. Select Audit Log.

  3. Configure the following parameters:

    • Set Send Audit Log to Syslog to Enabled.

    • In the Host field, enter the appropriate TOS Aurora destination described in Sending Additional Information via Syslog.

    • Set Facility to LOCAL7.

    • Set Severity to NOTICE.

    • In the Tag field, enter the Log Tag defined in the Syslog Authentication window (Stage 3 of 5) when the device was configured.
      This tag will be used in SecureTrack under “Syslog Authentication” as the Tag ID. The tag must be unique per FMC device.

  4. Click Save.

Enable a Syslog Device ID on the FTDs (Data Usage)

After the FMC device is configured, in SecureTrack, you can configure the device to collect usage data.

  1. In the FMC, navigate to the Devices > Platform Settings tab.

  2. To create a new policy: (If you are configuring an existing policy, skip to step 3)

    1. Click New Policy > Threat Defense Settings.

    2. The New Policy dialog box appears.

    3. In the Name field, enter a name for the new policy.

    4. Select an FTD device to add to the policy, and click Add to Policy.

    5. Click Save.

  3. In the row of the policy you want to configure, click the Edit() button.

  4. In the navigation pane, select Syslog.

  5. Select the Syslog Settings tab.

    1. Select the Enable Syslog Device ID option.
    2. From the drop-down menu, select User Defined ID.
    3. Enter an ID for the device syslogs. This ID will be used when configuring the device in SecureTrack.
  6. In the FMC for the required domain, navigate to the Policies > Access Control > RULE_IN_THE_POLICY > Logging tab.

    1. Select one of these options:
      • Log at Beginning of Connection
      • Log at End of Connection
    2. Select Syslog Server.
  7. Click Save.

Create a new Syslog alert

  1. In the FMC, navigate to Policies > Actions > Alerts.

  2. Click Create Alert > Create Syslog Alert.

  3. The Edit Syslog Configuration dialog box appears.

    1. In the Name field, enter a name for the new alert.

    2. In the Host field, enter the appropriate TOS Aurora destination described in Sending Additional Information via Syslog.

    3. In the Facility field, select Syslog.

    4. Click Save.

  4. In the Enable column, enable the alert.

Edit an FMC policy to send syslogs using the new alert

  1. In the FMC, navigate to Policies.

  2. In the row of the policy which you want to use to send syslog alerts to SecureTrack, click the Edit () button.

  3. Go to the Logging tab.

  4. Select Send using specific syslog alert.

  5. In the Syslog alert field, select the new syslog alert you created.

  6. Click Save.