https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729823#M1013567 <P>Not as far as I know.</P> <P>&nbsp;</P> <P>Cisco encourages customers to press their SIEM vendor to support eStreamer as it is considered architecturally capable to handle to potential volume of event coming from an FMC in a reliable and secure manner</P> Mon, 22 Oct 2018 13:55:02 GMT Marvin Rhoads 2018-10-22T13:55:02Z https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729688#M1013564 <P>Hello,</P> <P>&nbsp;</P> <P><SPAN>We are using the IPS module on the Cisco ASA 5525-X Firewalls and we’re running version 6.2.0.6.</SPAN></P> <P><SPAN>We would like to forward detailed logs to a Syslog server.</SPAN></P> <P><SPAN>We followed&nbsp;these&nbsp;procedures:</SPAN></P> <P><SPAN><A href="https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html</A></SPAN></P> <P><SPAN><A href="https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo.html</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>We are indeed receiving logs in our Syslog server. However, we are only receiving&nbsp;Block and Allow events. We are not receiving&nbsp;the detailed IPS events (i.e the reason behind a block). Here is an example:</SPAN></P> <P>&nbsp;</P> <P><SPAN>Oct 21 13:00:00 somename SFIMS: Protocol: TCP, SrcIP: x.x.x.x, OriginalClientIP: ::, DstIP: y.y.y.y, SrcPort: 28971,<BR />DstPort: 443, TCPFlags: 0x0, IngressInterface: internet, EgressInterface: dmz, DE: Primary Detection Engine<BR />(9c902a8c), Policy: YY-Firewalls, ConnectType: End, AccessControlRuleName: XX-rule,<BR />AccessControlRuleAction: Block, <STRONG>AccessControlRuleReason: Intrusion Block</STRONG>, Prefilter Policy: Unknown, UserName: No Authentication Required,<BR />Client: SSL client, ApplicationProtocol: HTTPS, IPSCount: 1, InitiatorPackets: 6, ResponderPackets: 5, InitiatorBytes: 661, ResponderBytes:<BR />5511, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk<BR />unknown</SPAN></P> <P>&nbsp;</P> <P><SPAN>As you can see, the log line indicates a block but we don't see the reason.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>In the FireSight Management&nbsp;console, we can see the reason behind a block, but we would like to see it in our Syslog server.</SPAN></P> <P>&nbsp;</P> <P><SPAN>1- Can the FirePower module forward IPS events to a Syslog server? or only Connection Events?</SPAN></P> <P><SPAN>2- If yes, what else should we do?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thank you.</SPAN></P> Tue, 12 Mar 2019 14:02:50 GMT https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729688#M1013564 Nethariel 2019-03-12T14:02:50Z https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729737#M1013565 <P>As you observed, IPS events via syslog only show a subset of the entire data set.</P> <P>&nbsp;</P> <P>To get all the metadata you need to use an application like Splunk that connects as an eStreamer client to feed the event data.</P> Mon, 22 Oct 2018 12:11:18 GMT https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729737#M1013565 Marvin Rhoads 2018-10-22T12:11:18Z https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729778#M1013566 <P>Thank you for your quick reply Marvin.</P> <P>&nbsp;</P> <P>The thing that confuses me is that AlienVault has a plugin to parse all kind of FirePower events. So you would expect that there should be a way to get these events to AlienVault.</P> <P>Do you know if it is possible to do that without using additional applications?</P> Mon, 22 Oct 2018 12:55:15 GMT https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729778#M1013566 Nethariel 2018-10-22T12:55:15Z https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729823#M1013567 <P>Not as far as I know.</P> <P>&nbsp;</P> <P>Cisco encourages customers to press their SIEM vendor to support eStreamer as it is considered architecturally capable to handle to potential volume of event coming from an FMC in a reliable and secure manner</P> Mon, 22 Oct 2018 13:55:02 GMT https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3729823#M1013567 Marvin Rhoads 2018-10-22T13:55:02Z https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3731378#M1013568 <P>Thanks again for your reply.</P> <P>&nbsp;</P> <P>Do you know if using SNMP could work?</P> <P>In this image, taken from the official guide, it says that Syslog sends Connection Events only, while SNMP doesn't say that. Could that be the reason/solution?</P> <P>&nbsp;</P> <P><IMG src="https://www.cisco.com/c/dam/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo-02.png" border="0" /></P> Wed, 24 Oct 2018 07:58:47 GMT https://community.cisco.com/t5/network-security/forwarding-ips-events-via-syslog/m-p/3731378#M1013568 Nethariel 2018-10-24T07:58:47Z