topic Re: FMC: Connection Events not being sent to external Syslog in Network Security

FMC: Connection Events not being sent to external Syslog

juanc — Thu, 19 May 2022 18:14:41 GMT

I've configured FMC to send Connection Events to an external syslog but not everything is being sent.

I've taken some tcpdumps and only the events with some relevant impact are sent. I'm interested in sending every event, even the allowed ones.

Any thoughts?

Re: FMC: Connection Events not being sent to external Syslog

Udupi Krishna. — Fri, 20 May 2022 00:54:28 GMT

Can you share the screenshot of your syslog configuration and is this syslog server selected globally for the ACP or individual rules?

Re: FMC: Connection Events not being sent to external Syslog

SinghRaminder — Fri, 20 May 2022 02:14:34 GMT

Follow this doc :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

Also as Krishna said, you need to provide the screenshot so we can understand what are you doing.

there are multiple places you can do the logging from like Platform Settings, each rule in ACP or globally under the ACP [logging Tab]

IPS are done under IPS Section etc

Re: FMC: Connection Events not being sent to external Syslog

juanc — Fri, 20 May 2022 13:24:31 GMT

I'm doing it on an individual rule but it's the only rule that is logging on the ACP. See the attachment.

And I'm getting some of the events, just not the allowed events which I also want to send. So the connection is established, might it be something with the logging level I'm using?

Also, I'm using 2 ASA 5515X with Firepower software module and 4 ASA 5585X with Firepower hardware module. No FTD devices. So the FTD Platform Settings policy do not apply in my case.

Re: FMC: Connection Events not being sent to external Syslog

SinghRaminder — Fri, 20 May 2022 15:15:05 GMT

So you are trying to Get IPS/IDS Events? The one you are doing is Screenshot is Syslogs/Connection

Intrusion you do not get here,

Go to Intrusion Policies>Edit your Policy>Select AdvancedSettings on the left>Enable Sylog ALerting

You may need click back on the right hand side and commit it

Or the moment you enable the syslog you will see Syslog Alerting on the left and add the server there

You still need to commit changes, also be careful, changes to IPS policy and deploy can result in few pings loss

And make sure you select the IPS policy under the inspection tab of the screenshot you provided

Re: FMC: Connection Events not being sent to external Syslog

juanc — Mon, 23 May 2022 21:27:20 GMT

I do not see an option "Advanced Settings" when I edit my Intrusion Policy. I'm going into Policies>Intrusion>Edit and I see the attached window.

To clarify, I want to forward all the events generated to my configured syslog server.

Re: FMC: Connection Events not being sent to external Syslog

SinghRaminder — Mon, 23 May 2022 21:44:47 GMT

Do not directly edit there, click on the version you are using like snort 2 or snort 3 highlighted, then it will take you to your policy.

Re: FMC: Connection Events not being sent to external Syslog

juanc — Mon, 23 May 2022 22:38:34 GMT

Great, I found the option and made the change as you said but I'm still not getting the events sent. Maybe I'm using the wrong facility(Local0)? I set the level to Debug everywhere but the amount of logs do not change.

Re: FMC: Connection Events not being sent to external Syslog

SinghRaminder — Tue, 24 May 2022 01:40:43 GMT

It is possible, i just compared mine and we are using the default LOCAL4 facility, and we do receive all the IPS/IDS alerts

Can you set up yours and give it a shot

Re: FMC: Connection Events not being sent to external Syslog

juanc — Fri, 27 May 2022 14:07:19 GMT

I did it but without success 😕