topic Re: How to FMC Audit log to Syslog Server ? in Network Security

How to FMC Audit log to Syslog Server ?

simplewildstyle — Tue, 22 Mar 2022 08:11:18 GMT

Dear sir,

I want to collect the audit log of fmc to syslog.

It is set as follows, but logs other than audit logs are being collected as below.

And i don't want see this logs.

Mar 22 01:25:46 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/platinum ; USER=root ; COMMAND=/etc/rc.d/init.d/syslog-ng restart

Mar 22 01:25:46 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/platinum ; USER=root ; COMMAND=/bin/chmod 0755 /etc/syslog-ng.d

The method I would like to see is the following audit log. (Monitoring -> Audit on FMC)

My Audit log to Syslog Settings is below.

Please check settings and help me.

best regards.

Re: How to FMC Audit log to Syslog Server ?

Eric R. Jones — Tue, 22 Mar 2022 20:50:30 GMT

In Facility change that to: SYSLOG

In Tag change that to the DNS name of the FMC if you want or leave as is

Send Audit Log to HTTP Server we have ours set to "Disabled" if you have an HTTP server set it to that.

For the audit Log Certificate section:

Chose the check boxes that apply, Enable TLS and/or Enable Mutual authentication.

For HTTPS Certificate:

If you plan on using a cert now but haven't in the past you will need to set that up.

Re: How to FMC Audit log to Syslog Server ?

simplewildstyle — Thu, 24 Mar 2022 02:54:31 GMT

Dear sir,

thanks for your information, but it was same issue.

I can see below log (FPR Syslog) on logging server.

Mar 24 02:48:41 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/admin ; USER=root ; COMMAND=/etc/rc.d/init.d/syslog-ng restart

Mar 24 02:48:41 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

but, I wnat to FMC audit log on logging server. (not syslog)

Please help me.

thanks,

Re: How to FMC Audit log to Syslog Server ?

Octavian Szolga — Thu, 24 Mar 2022 09:55:21 GMT

Hi,

Your settings look ok.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/system_configuration.html#ID-2258-00000149

My understanding - in this case - is that Facility and Severity are helpful only for syslog filtering at destination, not at source. Your FMC should send all audit events like you want to (including GUI menus). Try running a tcpdump on FMC with a filter for that specific sylog or run the capture on the syslog itself with a filter for FMC source IP and look into it.
Maybe you applied some filters on syslog and that's why you don't see all logs/

BR,
Octavian

Re: How to FMC Audit log to Syslog Server ?

simplewildstyle — Fri, 25 Mar 2022 01:19:16 GMT

Dear sir,

I checked received syslogs on logging server as below.

(tcpdump -i any port 514)

But, cannot see FMC audit log.

I want to FMC audit log on logging server. (not syslog)

please help me,

thanks

Re: How to FMC Audit log to Syslog Server ?

Eric R. Jones — Sun, 27 Mar 2022 21:04:16 GMT

This link is pulled from within my FMC.

log_from_fmc_61plus.html?highlight=stream%20aud> Stream Audit Logs to Syslog
(srf.local)

You lost me when you said:

"But, cannot see FMC audit log.

I want to FMC audit log on logging server. (not syslog)"

Are you trying to separate audit log data from syslog server collection into
a different location?

Are you talking about event logs and system log data?

We have configured ours to send all logs to an NFS location and to a SIEM
setup load balanced by A10 servers.

Re: How to FMC Audit log to Syslog Server ?

simplewildstyle — Tue, 05 Apr 2022 02:49:12 GMT

I'm sorry, I don't understand your information and you don't understand my issue.

please check this problem again.

Re: How to FMC Audit log to Syslog Server ?

Eric R. Jones — Wed, 20 Apr 2022 22:04:04 GMT

Did you ever sort out this issue?

Re: How to FMC Audit log to Syslog Server ?

simplewildstyle — Thu, 12 May 2022 04:02:30 GMT

not yet..

Re: How to FMC Audit log to Syslog Server ?

Octavian Szolga — Wed, 29 Jun 2022 12:55:00 GMT

Hi,

I remember running some tests on a 6.6 FMC and I got same results as you did.

No audit for GUI, just some linux syslog.
Now I'm running 7.2 and I can at least tell you that auditing works as expected.

06-29-2022 15:53:13 System4.Info x.x.x.x Jun 29 12:50:24 index.cgi: [FMC_AUDIT] fmc.local.hostname: admin@x.x.x.x, System > Monitoring > Audit, Page View

BR,

Octavian