https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3707841#M1014288 <P>Hi All</P> <P>&nbsp;</P> <P>Just curious if anyone has encountered the similar situation before.</P> <P>I have configured the FMC's Management/Audit logs to be sent to a SIEM via syslog.</P> <P>&nbsp;</P> <P>(System &gt; Configuration &gt; Audit Logs)</P> <P>&nbsp;</P> <P>The problem I have encountered is that the username&nbsp;is not present in syslog payload. Some of the sample syslog payload is as below.</P> <P>&nbsp;</P> <P>Sep 17 01:51:35 0M-FMCv Login[23783]: Login Failed<BR />Sep 17 01:53:46 0M-FMCv Login[24333]: Login Success<BR />Sep 17 01:31:57 0M-FMCv System &gt; Users &gt; User Roles &gt; User Role Editor[26824]: Page View<BR />Sep 17 01:31:52 0M-FMCv System &gt; Users &gt; User Roles[26825]: Page View<BR />Sep 17 01:31:42 0M-FMCv System &gt; Users &gt; Users[19589]: Page View<BR />Sep 17 01:31:10 0M-FMCv System &gt; Users &gt; User Roles[26825]: Page View<BR />Sep 17 01:30:55 0M-FMCv System &gt; Users &gt; Users &gt; Edit User[19317]: Page View<BR />Sep 17 01:29:31 0M-FMCv Login[18816]: Login Success<BR />Sep 17 01:29:19 0M-FMCv Logout[18701]: Logout Success</P> <P>&nbsp;</P> <P>I have tried using different users, but we can't distinguish between user activities as the username is not there.&nbsp;</P> <P>&nbsp;</P> <P>Thanks.</P> Fri, 21 Feb 2020 16:14:58 GMT osama.mehtab.ga 2020-02-21T16:14:58Z https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3707841#M1014288 <P>Hi All</P> <P>&nbsp;</P> <P>Just curious if anyone has encountered the similar situation before.</P> <P>I have configured the FMC's Management/Audit logs to be sent to a SIEM via syslog.</P> <P>&nbsp;</P> <P>(System &gt; Configuration &gt; Audit Logs)</P> <P>&nbsp;</P> <P>The problem I have encountered is that the username&nbsp;is not present in syslog payload. Some of the sample syslog payload is as below.</P> <P>&nbsp;</P> <P>Sep 17 01:51:35 0M-FMCv Login[23783]: Login Failed<BR />Sep 17 01:53:46 0M-FMCv Login[24333]: Login Success<BR />Sep 17 01:31:57 0M-FMCv System &gt; Users &gt; User Roles &gt; User Role Editor[26824]: Page View<BR />Sep 17 01:31:52 0M-FMCv System &gt; Users &gt; User Roles[26825]: Page View<BR />Sep 17 01:31:42 0M-FMCv System &gt; Users &gt; Users[19589]: Page View<BR />Sep 17 01:31:10 0M-FMCv System &gt; Users &gt; User Roles[26825]: Page View<BR />Sep 17 01:30:55 0M-FMCv System &gt; Users &gt; Users &gt; Edit User[19317]: Page View<BR />Sep 17 01:29:31 0M-FMCv Login[18816]: Login Success<BR />Sep 17 01:29:19 0M-FMCv Logout[18701]: Logout Success</P> <P>&nbsp;</P> <P>I have tried using different users, but we can't distinguish between user activities as the username is not there.&nbsp;</P> <P>&nbsp;</P> <P>Thanks.</P> Fri, 21 Feb 2020 16:14:58 GMT https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3707841#M1014288 osama.mehtab.ga 2020-02-21T16:14:58Z https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3707868#M1014289 <P>You're right - that's a shortcoming in the current syslog functionality on FMC. I just confirmed it on my system running the latest 6.2.3.5 release.</P> <P>&nbsp;</P> <P>Even a login success event doesn't provide the username via syslog (even though the syslog view in FMC does include the username). Below you can see both the FMC view as well as a packet capture the actual syslog message received on my target syslog host:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FMC - Syslog.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/18727i079674931382DF1A/image-size/large?v=v2&amp;px=999" role="button" title="FMC - Syslog.PNG" alt="FMC - Syslog.PNG" /></span></P> Mon, 17 Sep 2018 05:52:32 GMT https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3707868#M1014289 Marvin Rhoads 2018-09-17T05:52:32Z https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3707869#M1014291 <P>Yes Marvin,</P> <P>&nbsp;</P> <P>I did the same to check. I think&nbsp;username and IP address&nbsp;were there in earlier versions but I am not sure about it.</P> <P>&nbsp;</P> <P>However, I found&nbsp;a file /var/log/CSMAgent.log in which we can see the successful login and logout event but its not very helpful for my case. Anyways thanks for your response, really appreciate that you took to respond.</P> <P>&nbsp;</P> Mon, 17 Sep 2018 06:02:35 GMT https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3707869#M1014291 osama.mehtab.ga 2018-09-17T06:02:35Z https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3817405#M1014292 <P>Has this been resolved in 6.3?</P> Mon, 11 Mar 2019 13:59:25 GMT https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3817405#M1014292 boecknerm@bhc.edu 2019-03-11T13:59:25Z https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3817786#M1014293 <P>Yes - I am running 6.3.0.1. We now see the syslog messages with the username and source IP address from which the user logged in is included in the syslog messages:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FMC syslog with username.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31759i996407CC0F71628D/image-size/large?v=v2&amp;px=999" role="button" title="FMC syslog with username.PNG" alt="FMC syslog with username.PNG" /></span></P> Tue, 12 Mar 2019 04:14:37 GMT https://community.cisco.com/t5/network-security/fmc-audit-logs-username-missing-in-syslog-payload/m-p/3817786#M1014293 Marvin Rhoads 2019-03-12T04:14:37Z