https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859038#M1037749 <P>Hi Yog,</P> <P></P> <P>I check the documentation you provided, I have successfully retrieved the syslog from sourcefire, problem is the syslog does not have the inline result / action ( dropped or permitted ).</P> <P>correct me if i am wrong, I don't think changing the severity and priority will have any effect on that granularity of the syslog, that is only to mark the syslog sent with&nbsp;selected sev and priorioty&nbsp;and only effect how the syslog server process it.</P> <P></P> <P>thanks</P> Wed, 18 May 2016 05:49:30 GMT filterfilter 2016-05-18T05:49:30Z https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859036#M1037719 <P><SPAN style="font-family: arial,helvetica,sans-serif;">Hi Guys,</SPAN></P> <P></P> <P><SPAN style="font-family: arial,helvetica,sans-serif;">I have setup a syslog alerting on Firesight Virtual Defense Center but i am unable to get the inline result for the events.</SPAN></P> <P></P> <P><SPAN style="font-family: arial,helvetica,sans-serif;">Below is the sample raw event i received</SPAN></P> <P></P> <P style="background: white none repeat scroll 0% 0%; padding-left: 30px;"><SPAN style="font-family: 'Courier New'; color: black;">Apr 14 01:09:20 XXXX XXX : [Primary Detection Engine (a9d9147e-dd96-11e2-a935-a6cb913df812)][XXXX][1:34463:2] "APP-DETECT TeamViewer remote administration tool outbound connection attempt" [Classification: Potential Corporate Policy Violation] User: Unknown, Application: TeamViewer, Client: Internet Explorer, App Protocol: HTTPInterface Ingress: s1p2, Interface Egress: s1p1, Security Zone Ingress: External, Security Zone Egress: Internal, [Priority: 1] {TCP} <A href="https://community.cisco.com/UrlBlockedError.aspx" target="_blank">x.x.x.x:51355</A> -&gt; <A href="https://community.cisco.com/UrlBlockedError.aspx" target="_blank">x.x.x.x:80</A></SPAN></P> <P style="background: white none repeat scroll 0% 0%; padding-left: 30px;"><SPAN style="font-family: 'Courier New'; color: black;">&nbsp;</SPAN></P> <P style="background: white none repeat scroll 0% 0%;"><SPAN style="font-family: arial,helvetica,sans-serif; color: black;">There we could see the snort ID, source, destination, port but not the inline result (whether it is dropped or not)</SPAN></P> <P style="background: white none repeat scroll 0% 0%;"><SPAN style="font-family: arial,helvetica,sans-serif; color: black;"></SPAN></P> <P style="background: white none repeat scroll 0% 0%;"><SPAN style="font-family: arial,helvetica,sans-serif; color: black;">Is there anyway to change and include those inline result using syslog.</SPAN></P> <P style="background: white none repeat scroll 0% 0%;"><SPAN style="font-family: 'Courier New'; color: black;"></SPAN></P> <P style="background: white none repeat scroll 0% 0%;"><SPAN style="font-family: arial,helvetica,sans-serif; color: black;">Thanks</SPAN></P> Tue, 12 Mar 2019 13:00:58 GMT https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859036#M1037719 filterfilter 2019-03-12T13:00:58Z https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859037#M1037738 <P>Hi</P> <P>Check this out. Should be able to help.</P> <P>http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html</P> <P></P> <P>Rate if helps.</P> <P>Yogesh</P> <P></P> Tue, 17 May 2016 11:25:54 GMT https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859037#M1037738 yogdhanu 2016-05-17T11:25:54Z https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859038#M1037749 <P>Hi Yog,</P> <P></P> <P>I check the documentation you provided, I have successfully retrieved the syslog from sourcefire, problem is the syslog does not have the inline result / action ( dropped or permitted ).</P> <P>correct me if i am wrong, I don't think changing the severity and priority will have any effect on that granularity of the syslog, that is only to mark the syslog sent with&nbsp;selected sev and priorioty&nbsp;and only effect how the syslog server process it.</P> <P></P> <P>thanks</P> Wed, 18 May 2016 05:49:30 GMT https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859038#M1037749 filterfilter 2016-05-18T05:49:30Z https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859039#M1037761 <P>HI ,</P> <P></P> <P>Yes you are right changing the severity and priority wont make any changes.</P> <P></P> <P>Check : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux57517/?reffering_site=dumpcr</P> <P></P> <P>Apparently in 5.4 and 6.0 as per the user guide as well only below parameters will be seen in syslog :</P> <P></P> <P>-date and time of alert generation<BR /><BR />-event message<BR /><BR />-event data<BR /><BR />-generator ID of the triggering event<BR /><BR />-Snort ID of the triggering event<BR /><BR />-revision</P> <P></P> <P>Regards,</P> <P>Aastha Bhardwaj</P> <P>Rate if that helps!!!</P> <P></P> Wed, 18 May 2016 13:47:27 GMT https://community.cisco.com/t5/network-security/question-sourcefire-firesight-syslog-to-include-inline-result/m-p/2859039#M1037761 Aastha Bhardwaj 2016-05-18T13:47:27Z