To configure your Cisco ASA with FirePOWER firewall to send web traffic syslog messges to your syslog server, you need to define the syslog server and apply syslog logging to your access control and SSL policies.
Define Syslog server in Cisco ASA w/FirePOWER
- To configure a Syslog Server for traffic events, navigate to Configuration | ASA Firepower Configuration | Policies | Actions Alerts and click the Create Alert drop-down menu and choose option Create Syslog Alert.
- Enter the following values for the Syslog server installed (see step 1 above).
- Name: Specify a name to uniquely identifies your Syslog server such as ‘Kiwi Syslog Server’
- Host: Specify the IP address/hostname of the Syslog server.
- Port: Specify the port number your Syslog server is listening on. 514 is the default syslog server port.
- Facility: Select any facility such as SYSLOG
- Severity: Select Informational
- Tag: Leave blank.
Apply Syslog to Access Control Policies
- Select Configuration | ASA FirePOWER Configuration | Policies | Access Control Policy.
- On the Rules tab, click the Edit icon next to the access control policies that apply to your network’s Internet usage. For each policy:
- Go to the Logging tab and select Log at Beginning and End of Connection
- In the Send connection events to section, check Syslog and select your syslog server (defined above)
- Click OK.
- Select the Advanced tab and click the edit icon next to General Settings.
- Change the Maximum URL characters to store in connection events to 4096 (this is the maximum number of characters to store for URLs) and click OK.
- Click Store ASA FirePOWER Changes to save your changes.
Apply Syslog to SSL Policies
- Select Configuration | ASA FirePOWER Configuration | Policies | SSL
- On the Rules tab, click the Edit icon next to the SSL policies that apply to your network’s Internet usage. For each policy:
- Go to the Logging tab and select Log at End of Connection
- In the Send connection events to section, check Syslog and select your syslog server (defined above)
- Click OK.
- Click Store ASA FirePOWER Changes to save your changes.
Cyfin Syslog server should start receiving log messages and logging them to text files.
Additional Resources
- Wavecrest Video on setting up Syslog in Cyfin: Cyfin Syslog Setup Video