Configure Logging Settings

This procedure describes how to enable logging of diagnostic (data) messages, file and malware events, intrusion events, and console events. Connection events are not logged as a result of these settings; they are logged if connection logging is configured on access rules, security intelligence policies, or SSL decryption rules.

Procedure


Step 1

Open an FDM-managed device's settings.

Step 2

On the System Settings page click Logging in the settings menu.

Step 3

Data logging. Slide the Data Logging slider to On to capture diagnostic logging syslog messages. Click the plus button to specify the syslog server object that represents the syslog server that you want to send the events to. (You can also create a syslog server object at this point.) Additionally, select the minimum level of event severity you want to log.

This will send data logging events for any type of syslog message, with your minimum chosen severity level, to the syslog server.

Note

CDO doesn't currently support creating a Custom Logging Filter for Data Logging. For finer control of which messages you send to the syslog server, we recommend you define this setting in an FDM-managed device. To do so, log on to an FDM-managed device, and navigate System Settings > Logging Settings.

Tip

Do not enable data logging if you are a Cisco Security Analytics and Logging customer unless you forward the data logging events to a syslog server other than the Secure Event Connector. Data events (diagnostic events) are not traffic events. Sending the data events to a different syslog server removes the burden on the SEC from analyzing and filtering them out.

Step 4

File/Malware Log Settings. Slide the slider to On to capture file and malware events. Specify the syslog server object that represents the syslog server that you want to send the events to. You can also create a syslog server object at this point if you have not already.

File and malware events are generated at the same severity level. The minimum level of event severity you select will be assigned to all file and malware events.

File and malware events are reported when a file or malware policy in any access control rule has been triggered. This is not the same as a connection event. Note that the syslog settings for file and malware events are relevant only if you apply file or malware policies, which require the and Malware licenses.

For Cisco Security Analytics and Logging subscribers:

  • If you send events to the Cisco cloud through a Secure Event Connector (SEC), specify an SEC as your syslog server. You will then be able to see these events alongside file policy and malware policy connection events.

  • If you send events directly to the Cisco cloud without an SEC, you do not need to enable this setting. File and malware events are sent if the access control rule is configured to send connection events.

Step 5

Intrusion Logging. Send intrusion events to a syslog server by specifying the syslog server object that represents the syslog server you want to send events to. You can also create a syslog server object at this point if you have not already.

Intrusion events are reported when an intrusion policy in any access control rule has been triggered. This is not the same as a connection event. Note that the syslog settings for intrusion events are relevant only if you apply intrusion policies, which require the license.

For Cisco Security Analytics and Logging subscribers:

  • If you send events to the Cisco cloud through a Secure Event Connector (SEC), specify an SEC as your syslog server. You will then be able to see these events alongside file policy and malware policy connection events.

  • If you send events directly to the Cisco cloud without an SEC, you do not need to enable this setting. Intrusion events are sent to the Cisco cloud if the access control rule is configured to send connection events.

Step 6

Console Filter. Slide the slider to On to send data logging (diagnostic logging) events to a console rather than to a syslog server. Additionally, select the minimum level of event severity you want to log. This will send a data logging event for any type of syslog message, with your chosen severity level.

You will see these messages when you log into the CLI on the console port of your FDM-managed device. You can also see these logs in an SSH session to other FDM-managed device interfaces (including the management interface) by using the show console-output command. In addition, you can see these messages in real time in the diagnostic CLI by entering system support diagnostic-cli from the main CLI.

Step 7

Click Save.

Step 8

Review and deploy the changes you made now, or wait and deploy multiple changes at once.