topic attached here the syslog. in Network Security

CLI command to extract IPS event logs from Firepower Sensor

Mady — Tue, 12 Mar 2019 13:10:49 GMT

Hi,

Please help me extract the " Connection Events", "Security Intelligence Events", "Malware Events" and "IPS Events" from sensor via CLI. Hope you can provide me the command. I need this for our network audit activity.

Thank you in advance.

Regards,

Mady

Events are being stored on

Oliver Kaiser — Thu, 27 Oct 2016 18:34:41 GMT

Events are being stored on FMC in a MySQL database. The schema is documented here.

There is an option on FMC to permit remote database access so you could just use MySQL Workstation and build some sql queries to get the event data you are looking for.

Another option would be configuring syslog forwarding on fmc which might be the easier solution.

Let me know if you need further assistance

Hi ok0000007,

Mady — Fri, 28 Oct 2016 00:20:44 GMT

Hi ok0000007,

Thank you for your response. So there is no way to get the logs from IPS directly?

Regards,

Mady

There is no documented /

Oliver Kaiser — Fri, 28 Oct 2016 07:26:53 GMT

There is no documented / supported way to do this via DB. I have checked the sensor db scheme and could not find the appropriate event tables.

Is there a reason for not polling Firepower Management Center?

If we configure the syslog,

Mady — Fri, 28 Oct 2016 07:35:59 GMT

If we configure the syslog, can we get all the connection logs or IPS logs from sensor?

we wanted to get the logs from past weeks or months, that's why we're looking for the commands to get it directly from the sensor.

Also, if we issue show disk-manager there are connection events and IPS events, so I am wondering if we could get the logs from there.

Connection logs for several

Oliver Kaiser — Fri, 28 Oct 2016 08:02:39 GMT

Connection logs for several weeks/months wont be possible imo. I have checked disk-manager on FTD 6.1 and there are no connection events logged. In case your platform logs connection logs directly to the sensor they will most likely get rotated pretty fast since the max event storage will fill up

Snort events are indeed logged on disk. If you want to check the files you have to locate the following files using bash on the sensor...

snort-unified.alert

snort-unified.log

e.g.

> expert

admin@firepower:/home/admin# sudo su -

root@firepower:/home/admin# updatedb

root@firepower:/home/admin# locate snort-unified.alert

If you want to check the connection logs you have to find the configuration file for diskmanager at /etc/sf/diskmanager.conf and locate the logfile name.

For the future I would recommand logging FMC alerts to syslog and forwarding connection events to syslog for longterm data collection.

p.s Enabling syslog now will only send new events to your syslog server.

attached here the syslog.

Mady — Fri, 28 Oct 2016 08:03:53 GMT

attached here sample show disk-manager. would you know the logfile name and how can I retrieve it?

Hi Mady

Oliver Kaiser — Fri, 28 Oct 2016 09:00:20 GMT

Hi Mady

I have documented the procedure for locating the ips events. You may want to check the file using cat or vi and if it matches what you are looking for use scp to copy it to another system.

I checked the connection logs on a firepower module and could only locate bogus data referencing IDs. You might want to open a TAC case to get the data in a useable format via a query.

Hi,

Mady — Fri, 28 Oct 2016 09:32:23 GMT

Hi, Thank you very much. You are really helpful. Can you give me some sommands on how can I find the logs file i needed? Also, I already opened Cisco TAC but they are still in the process on checking the documents to extract the logs that I needed. You answer much quicker than them 🙂 You must be a TAC engineer too. Regards, Mady

According to diskmanager.conf

Oliver Kaiser — Sat, 29 Oct 2016 09:36:46 GMT

According to diskmanager.conf the connection events are only stored in a shared memory segment which includes a non human readable event log, so extracting historical data from sensor wont be feasable imo.

As for the ips events they are located in /var/sf/detection_engine. For finding the complete path you may use the commands i posted earlier to search for the specific files.

1. Change to linux shell

> expert

2. Change user to root (admin password required!)

admin@firepower:/home/admin# sudo su -

3. Update mlocate file database

root@firepower:/home/admin# updatedb

4. Search for file with name snort-unified.alert

root@firepower:/home/admin# locate snort-unified.alert

5. Read file using more

root@firepower:/home/admin# more <filepath_of_snort-unified.alert>