External Logging Configuration

Introduction

This guide covers external syslog configuration for the Secure Firewall platform, via the Secure Firewall Management Center (FMC). For information on different event types, event logging settings, calculating events per second (EPS), eStreamer vs. syslog, and other logging considerations, please see the Logging Best Practices guide, which was written as a companion document to this one. Because connection event volume on firewalls can be very high, it is strongly recommended to do a careful assessment of both event volume and the needed storage capacity on a SIEM or other log ingesting platform before configuring syslog.

Primary Syslog Configuration

Configuring an external syslog server can be done in two primary areas of the FMC GUI: Policies > Actions > Alerts, and in Platform Settings. The configuration in Platform Settings is recommended for Threat Defense firewalls. For this guide, we will configure syslog in Platform Settings.

Navigate to Devices > Platform Settings.













Click on the pencil icon to edit the desired policy.

Click on Syslog in the left menu.










In the top menu, click on Syslog Servers, then click the Add button.

Enter an IP address or hostname for the syslog server and specify TCP or UDP protocol. TCP can be used for encrypted syslog, while UDP 514 is the most common port and protocol used for syslog. Configure what interface the firewall will use to send logs to the syslog server and verify that the necessary routing and network access is in place for the connection from the interface specified. Click OK.












Click on Syslog Settings.

Check the box to ‘Enable timestamp on syslog messages’. Click the Timestamp Format box and verify that the preferred format is selected. Check the box for ‘Enable syslog device ID’ and select the preferred identifier from the dropdown—interface, hostname, or user defined.

Click Save.

The changes will need to be deployed before they take effect.

Access Control Policy Log Settings & Syslog

The Access Control policy can set syslog for Intrusion events, File and Malware events, Security Intelligence events, and Connection events. Syslog for policies linked to the Access Control policy can also be set, including the DNS, Prefilter, and Decryption policies. As covered in the Logging Best Practices guide, it is recommended to prioritize syslog for Threat events (Intrusion, File and Malware, and Security Intelligence). Connection events should only be sent to syslog after making a careful assessment of event volume and data ingest capacity. Events aside from Threat events and Connection events should only be sent to syslog if there is a defined use case or need.

Configuring Threat Event Syslog via the Access Control Policy

Navigate to Policies > Access Control.










Locate the policy you want to configure syslog for (or create a new one) and click the pencil icon to edit.

Let’s now review the default syslog configuration for our Access Control policy. At the top of the Access Control policy, click More > Logging.

This shows the default syslog configuration for the Access Control policy. The screenshot below shows the blank configuration.

We can set several areas of config from this page. First, we’ll check the box to use the syslog configuration from the FTD Platform Settings. This configuration instructs the firewalls which have this Access Control policy applied to use the syslog configuration in their Platform Settings to send logs.

Next, we can configure syslog for the Intrusion and File policies associated with this Access Control policy, sending syslog events for any Intrusion, Malware, or File events that are generated. Below is the full configuration. Click Save when finished.

The above configuration instructs the system to generate syslogs for Intrusion, File, and Malware events, and send them to the specified syslog server. We can also configure syslog for the DNS policy and Security Intelligence by clicking on the Security Intelligence tab. This will generate logs every time a DNS request, IP, or URL is matched against a threat blocklist.

We can configure syslog settings for the DNS policy, the IP blocklist, and the URL blocklist from this page. Note that logging isn’t available for configurations that are integrated with Umbrella for DNS, as Umbrella does the malicious DNS check in that configuration. If using a local DNS policy, click the logging icon to configure.

From here we can configure the system to log events and send them to the FMC, a syslog server, or both. After setting the desired configuration, click OK.








Next, we can configure syslog for the IP and URL blocklists. Note that these lists must be populated by selecting Network and URL categories on the left and adding them to the blocklist on the right. If you are configuring this for the first time, you should first establish an event rate baseline before configuring syslog. In the screenshot below, block list categories have already been added to the list on the right.

To enable syslog for the IP blocklist, click the logging icon next to Networks.

As with the DNS policy, we can enable logging and configure logs to be sent to the FMC, syslog, or both. Click OK when finished.










Scroll down the Block List to the URLs section, then click the logging icon.

Configure the desired settings, then click OK.









With these settings, syslog is configured for all of the Threat event categories of Intrusion, File and Malware, and Security Intelligence. Save the Access Control policy, then deploy changes when ready.



Configuring Connection Event Syslog via the Access Control Policy

Connection Events

Connection events are by far the highest volume log for any firewall, and should only be enabled after a careful assessment of event rates and SIEM data ingest capacity.

Each rule in the Access Control policy has a customizable logging configuration. Within the Access Control policy, click the pencil icon next to any rule to edit.

This example rule has logging turned off. Click the text next to Logging (OFF or ON) to configure.

The logging options for each Access Control rule include beginning and end of connection logging (covered in the Logging Best Practices guide), and options to send the logs to the FMC, a syslog server, or both. There are also options for overrides and sending SNMP traps. For this example, we will use end of connection logging and send the logs to both the FMC and the default syslog server for this Access Control policy. When finished, click Confirm.










Click Apply.

Rules with logging enabled will display the log icon in black. Mousing over the log icon will show the logging configuration for the rule.

Logging can also be configured for the Default Action of the Access Control policy. At the bottom of the Access Control policy, click the gear icon.


















Because our Default Action is set to block all traffic (implicit deny, a best practice) we only have the option to log at beginning of connection, because the connection is immediately terminated upon rule match. All log settings are the same as an Access Control rule. Click Apply when finished.











After logging for the Access Control rules and Default Action has been configured, we can review the default syslog configuration for our Access Control policy by clicking More > Logging (this configuration was set previously in the Threat Events section).

This page shows the specified syslog server and settings to send syslogs for Intrusion, File, and Malware events.

Click Save when finished, then Deploy changes if ready.

Logging & Syslog Configuration for Other Traffic Event Types

Threat events have immediate security benefits for syslog ingestion, and Connection events provide a wealth of traffic information for organizations who ingest them at scale. Other traffic related events can serve smaller use cases, and are covered in this section. It is generally recommended not to export these logs to syslog unless there is an understood business use case.

Prefilter Policy Traffic Events

Logging for the Prefilter policy can be ignored for any organizations that are using the default Prefilter policy settings, which send all traffic to the Access Control policy for analysis. For organizations who are using prefilter rules to block or fastpath traffic, Prefilter events can server as a complement to Connection event logging to provide a full picture of network traffic.

Syslog for the Prefilter policy can be configured either by navigating to Policies > Prefilter > edit a policy, or by clicking on the Prefilter Rules link in the Access Control policy and then editing the linked Prefilter policy, as shown below.





The three rule actions available in the Prefilter policy are Block, Fastpath, and Analyze. By default, the Prefilter policy has a Default Action of Analyze.

Clicking the log icon next to the Default Action will show the logging settings greyed out. This is because the Analyze action sends any matched connections to the Access Control policy, where more granular logging can be captured.








However, logging can be enabled for any rules with the Fastpath or Block action, as these are not sent to the Access Control policy. Click the log icon next to any Fastpath or Block rule to configure.

As with Access Control rules, any Prefilter rule set to Block does not have End of Connection logging available, as the connection is immediately terminated. Fastpath rules allow both Beginning and End of Connection logging. The Prefilter policy inherits the syslog configuration from its associated Access Control policy. Click Save when finished with the configuration.

The policy must be deployed before the changes to logging will take effect.

Decryption Policy Traffic Events

Decryption events are generated when traffic is decrypted using a configured decryption policy. Organizations that are not performing traffic decryption will not have this event type. For organizations that are performing traffic decryption, Decryption events should only be sent to syslog after assessing event volume and identifying use cases for the Decryption event data.

Syslog for the Decryption policy can be configured via Policies > Decryption > edit, or by clicking the Decryption policy link in the Access Control policy, as shown below.




From within the Decryption policy, click the pencil icon to edit a rule.

Click on Logging.

Because decryption occurs after the beginning of a connection, only End of Connection logging is available for Decryption events. As with other event types the logs can be sent to the FMC, syslog, or both. Click Save when done.

As with other policies, the Decryption policy has a Default Action. Click the log icon to configure.

Click OK when configuration is complete.









Save the Decryption policy, then deploy the changes when ready.

Logging & Syslog Configuration for Audit Logs

While audit events can be easily accessed on the FMC, organizations may opt to export them to comply with regulations or as a best practice. FMC admins can delete audit events, but deleting an audit event will create a new audit event that includes the action and the details on the user who initiated the action, creating a record of non-repudiation. While this is an acceptable level of control for some, storing audit logs in a remote location with more controlled data retention is preferable.

Audit logs are sent directly from the FMC to a syslog server, and require separate configuration from the Platform Settings configuration set earlier. By default, audit logs will be sent over UDP port 514, which is the configuration covered in this guide. However, audit logs can also be sent via encrypted TCP, which is a best practice when a compatible syslog destination is available. For steps to configure encrypted syslog for Audit events, see the Audit Log Certificate section of the configuration guide.

Configuring Audit Event Syslog

In the FMC, navigate to System > Configuration.

Click on Audit Log.









Set ‘Send Audit Log to Syslog’ to Enabled. Specify the host or IP address of the syslog server. Leave the Facility and Severity on the default values unless other values are preferred. A tag can also be set, if desired.

The above configuration also has an option for ‘Send Configuration Changes’. This setting includes granular change data to supplement the audit logs, and can be configured if desired.




By default, the FMC uses ICMP (or ARP for a local network syslog server) and TCP SYN packets to verify connectivity to the syslog server. You can verify connectivity using the Test Syslog Server button. Click Save when finished.


Title of the document The current suggested release is 7.6.2 Release 7.7 is live! Reminder that 7.7 firewalls are Snort 3 only