topic Re: Collecting FMC Logs Including User-Requested URLs Through Syslog in Network Security

Collecting FMC Logs Including User-Requested URLs Through Syslog

waheh91451 — Sat, 04 Jan 2025 11:17:14 GMT

I am currently using Cisco Firepower Management Center (FMC) and would like to collect logs that include detailed information about users' requested URLs and send them to a central syslog server for analysis.

Here are my specific requirements and questions:

Log Details: How can I configure FMC to include details such as requested URLs, timestamps, and the action taken (e.g., allowed or blocked) in the syslog messages?
Syslog Configuration: What are the necessary steps to set up FMC to forward these logs to a syslog server?
- Is there a specific syslog facility or severity level recommended for URL-related logs?
- Do I need to configure any specific policies or logging profiles in FMC for this?
User Identity Information: How can I ensure that FMC logs include user identity information (e.g., usernames) along with URL requests?

Any guidance, including examples of syslog configurations, FMC policies, or integration tips, would be greatly appreciated.

Re: Collecting FMC Logs Including User-Requested URLs Through Syslog

MHM Cisco World — Sat, 04 Jan 2025 13:12:50 GMT

https://www.cisco.com/c/en/us/td/docs/security/firepower/splunk/Cisco_Firepower_App_for_Splunk_User_Guide.html <<- check this

MHM

Re: Collecting FMC Logs Including User-Requested URLs Through Syslog

waheh91451 — Mon, 06 Jan 2025 04:54:35 GMT

Hi there, thanks for replying, I think you got it wrong, the problem isn't about parsing logs, the problem is that my raw logs doesn't include any URL field.

Re: Collecting FMC Logs Including User-Requested URLs Through Syslog

Marvin Rhoads — Tue, 07 Jan 2025 03:24:51 GMT

When we setup an Access Control Policy rule to send syslog events, it is the managed FTD device actually sending its view of the traffic the the syslog server. That is why we only see a subset of what you can see in FMC itself. The FMC view is enriched by context it retrieves from other sources such as Identity from ISE, URL from analysis of the packets, etc. That enriched set of information is not directly exportable to a syslog server from FMC.

Here you can see what an FTD device sends to syslog in the case of a DNS lookup - that is the only time we see the FQDN from a syslog event since it is part of the event. Subsequent connections (and any syslog event associated with them) will just use the IP address and that is what will be seen in a syslog event for that traffic.

%FTD-6-430003: EventPriority: Low, DeviceUUID: f35fbf2c-a28c-11ef-8f3e-91c8635f9d10, InstanceID: 1, FirstPacketSecond: 2025-01-07T03:16:18Z, ConnectionID: 538, AccessControlRuleAction: Allow, SrcIP: 172.31.1.31, DstIP: 8.8.8.8, SrcPort: 58951, DstPort: 53, Protocol: udp, IngressInterface: Inside-Lab, EgressInterface: Outside-Home, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Lab_ACP, AccessControlRuleName: Lab-Outside, Prefilter Policy: Default Prefilter Policy, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 248, NAPPolicy: Balanced Security and Connectivity, DNSQuery: dt-external-217593033.us-east-1.elb.amazonaws.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 37, ReferencedHost: dt-external-217593033.us-east-1.elb.amazonaws.com, NAT_InitiatorPort: 58951, NAT_ResponderPort: 53, NAT_InitiatorIP: 192.168.0.204, NAT_ResponderIP: 8.8.8.8, ClientAppDetector: AppID, InspectedPacketCount: 2, InspectionMicroseconds: 558

Re: Collecting FMC Logs Including User-Requested URLs Through Syslog

waheh91451 — Wed, 08 Jan 2025 10:12:03 GMT

Thanks for your clarification, Is there anyway to config FTD to include FQDN in syslog output?

Re: Collecting FMC Logs Including User-Requested URLs Through Syslog

Marvin Rhoads — Wed, 08 Jan 2025 12:51:58 GMT

No, not to the best of my knowledge.