topic Re: how to change intrusion event syslog port from 514 to 1515 in Network Security

how to change intrusion event syslog port from 514 to 1515

jameslee43329 — Tue, 11 Apr 2023 20:25:37 GMT

Hi, Everyone:

After done some troubleshooting and data capture, and found out Intrusion event syslog for message ID 430001 is sending to destination port (udp 514), I could see other message ID (430002, and 430003) are sending to udp port 1515, since external syslog is using udp port 1515, Is there a way to change syslog for message ID 430001 to destination port 1515 from 514?

Thanks for any suggestion

James

Re: how to change intrusion event syslog port from 514 to 1515

MHM Cisco World — Tue, 11 Apr 2023 20:34:23 GMT

what is the level appear in 430002 and 430003 and 430001
I think the level is issue here not the log message-d

Re: how to change intrusion event syslog port from 514 to 1515

jameslee43329 — Tue, 11 Apr 2023 21:00:06 GMT

Hello, MHM:

They all level 6, starting with %FTD-6-43000x, and I remember you change change what level of the syslog you want, that will not change syslog destination port.

Regards,

James

Re: how to change intrusion event syslog port from 514 to 1515

MHM Cisco World — Tue, 11 Apr 2023 21:00:33 GMT

Configure Syslog Alerting for Intrusion Events

You must configure syslog alerting for intrusion events.

To do so, follow Cisco's documentation at: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Configuring_External_Alerting_for_Intrusion_Rules.html#ID-2212-000001bf

This configuration shows the event ids 430001, 430002, and 430003 in your syslog settings, and sends them to InsightIDR for parsing.

Re: how to change intrusion event syslog port from 514 to 1515

jameslee43329 — Tue, 11 Apr 2023 23:50:20 GMT

Thanks MHM:

I don't see there is any requirement to setup for MID 430002 and 430003, only for 430001, there is no specific explanation what facility should be used? will local4 or syslog use different destination port?

Changed snort2 for IDS policy in advanced setting, change facility, no help!

regards,

James

Re: how to change intrusion event syslog port from 514 to 1515

balaji.bandi — Wed, 12 Apr 2023 01:00:12 GMT

So you have syslog Server setup done using 1515

your Syslog server can able receive the messages message ID (430002, and 430003) ? but not 430001 ? Please confirm this

and give more details what is the device model/ what FTD version running. is this managed by FMC?

can you post the screenshot of the Syslog server config?

Re: how to change intrusion event syslog port from 514 to 1515

Gustavo Medina — Wed, 12 Apr 2023 02:02:19 GMT

I just tested this and it works fine:

The port will be reflected on /var/sf/detection_engines/xxxxxx/ids_alert.conf

Just make sure you are running a version with the fix for https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt13301

Re: how to change intrusion event syslog port from 514 to 1515

jameslee43329 — Wed, 12 Apr 2023 15:44:43 GMT

Hi, Gustavo and MHM:

After removed IP address in logging hosts in snort2, that fixed the issue, I think there was too much influences on snort2 documentation, and I could see the pain from snort2 to snort3, platform setting is the better choice. and thanks for the help.