Cisco
Login
Search
Software Secure Firewall Threat Defense
Platform Secure Firewall Threat Defense Virtual
Activity Onboard

Interfaces and Device Settings Platform Settings Syslog Guidelines for Logging

Last updated: Jul 29, 2025

Guidelines for Logging

This section includes guidelines and limitations that you should review before configuring logging.

IPv6 Guidelines

  • IPv6 is supported. Syslogs can be sent using TCP or UDP.

  • Ensure that the interface configured for sending syslogs is enabled, IPv6 capable, and the syslog server is reachable through the designated interface.

  • Secure logging over IPv6 is not supported.

Additional Guidelines

  • Do not configure Firewall Management Center as a primary syslog server. The Firewall Management Center can log some syslogs. However, it does not have adequate storage provision to accommodate voluminous information from connection events for every sensor, especially when multiple sensors are used and all send syslogs.

  • The syslog server must run a server program called syslogd. Windows provides a syslog server as part of its operating system.

  • The syslog server operates based on the syslog-ng process of the firewall system. Do not use external configuration files, like the scwx.conf file from SecureWorks. Such files are not compatible with the device. Using them will lead to parsing error and eventually the syslog-ng process will fail.

  • To view logs generated by the Firewall Threat Defense device, you must specify a logging output destination. If you enable logging without specifying a logging output destination, the Firewall Threat Defense device generates messages but does not save them to a location from which you can view them. You must specify each different logging output destination separately.

  • It is not possible to have two different lists or classes being assigned to different syslog servers or same locations.

  • You can configure up to 16 syslog servers.

  • The syslog server should be reachable through the Firewall Threat Defense device. You should configure the device to deny ICMP unreachable messages on the interface through which the syslog server is reachable and to send syslogs to the same server. Make sure that you have enabled logging for all severity levels. To prevent the syslog server from crashing, suppress the generation of syslogs 313001, 313004, and 313005.

  • The number of UDP connections for syslog is directly related to the number of CPUs on the hardware platform and the number of syslog servers you configure. At any point in time, there can be as many UDP syslog connections as there are CPUs times the number of configured syslog servers. This is the expected behavior. Note that the global UDP connection idle timeout applies to these sessions, and the default is 2 minutes. You can adjust that setting if you want to close these session more quickly, but the timeout applies to all UDP connections, not just syslog.

  • When the Firewall Threat Defense device sends syslogs via TCP, the connection takes about one minute to initiate after the syslogd service restarts.

  • When the TCP logging host goes down, it takes approximately 6 minutes to change its connection status from Connected to Not connected. Logging relies on TCP to detect the channel state; until then, logging sends the logs through the channel. During this time, when you execute the show log , the output would display the TCP logging host as connected. Once the TCP channel is closed, the TCP logging host state is updated to Not connected.

Previous topic Syslog Message Classes Next topic Configure Syslog Logging for Firewall Threat Defense Devices