topic Any update on this? in Network Security

FirePower Threat Defense Real time log viewer

jackk.rayen — Tue, 12 Mar 2019 08:23:45 GMT

Hi,

In cisco ASDM tool we have a section for real time monitoring the traffic which flow on our device ( monitoring > logging > real time log viewer) in this tab we can monitor all network activity and flow creation and teardown but when we installed FirePower Threat Defense software and add it on Cisco FMC , actually we lost this real time monitoring , How we can monitor real time log int FMC ? Is there any option on FMC for real time Log viewer just ASA ASDM?

thanks

I have heard that real-time

nspasov — Thu, 13 Oct 2016 18:34:16 GMT

I have heard that real-time log view/monitor is coming to FireSIGHT but was never given an actual version. As of right now, this feature is not available.

Sorry to bring the bad news 🙂

Thank you for rating helpful posts!

Sorry but there's not

Marvin Rhoads — Thu, 13 Oct 2016 23:42:32 GMT

Sorry but there's not currently any such capability in FMC (or on the sensor itself). It's not in any short term plan either (although customer demand can sometimes result in development resources being allocated sooner).

The closest you can come right now is to create a syslog server and tail the syslog output.

There are the cli system support commands you can run that allow you to do packet trace and capture.

You can also access them via the GUI under System > Health > Monitor > (select device) > Advanced Troubleshooting. FTD devices will have those tools exposed there. (Note you can only do this for FTD devices and only from FMC.)

Thanks for your helpful

jackk.rayen — Fri, 14 Oct 2016 12:10:36 GMT

Thanks for your helpful answer, so we are waiting for the future.

thanks all

You can also use the

michaellperrin — Fri, 14 Oct 2016 19:05:27 GMT

You can also use the Connection-< Events tab in FMC. I agree it's not as good as the real time log but it can be very helpful

Any update on this?

Lucas Phelps — Wed, 10 May 2017 16:35:58 GMT

Any update on this?

What about AnyConnect VPN Support coming to FTD?

Nothing on the log viewer.

Marvin Rhoads — Wed, 10 May 2017 16:44:54 GMT

Nothing on the log viewer.

Remote access SSL VPN (for AnyConnect clients) will be introduced in FirePOWER 6.2.1 for FTD on the FirePOWER 2100 at that product's FCS date (First Customer Ship - sheduled for 22 May last I heard). The remaining FTD platforms will get it in a subsequent release shortly thereafter.

Marvin, I would like to

prashant dwivedi — Tue, 14 Nov 2017 07:49:43 GMT

Thanks

My understanding is that when

Marvin Rhoads — Wed, 24 May 2017 08:25:58 GMT

My understanding is that when you have a syslog (or SNMP trap) action as part of a policy that has been deployed to a sensor (FTD or FirePOWER) that the syslog events and SNMP traps originate from the sensor itself.

See Oliver's response here confirming that behavior:

https://supportforums.cisco.com/discussion/13251571/firepower-rule-connection-logging-syslog-question

The FMC will not necessarily show everything that's going on at the sensor - only events that are configured to create event logs will be sent up to FMC.

FX-OS chassis level logs are certainly useful but only if you have somebody actually watching them or atl least checking them periodically. Few things are less useful than a log entry that nobody sees.

Regarding backups, see the configuration guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/backup_and_restore.html

It notes:

You cannot create or restore backup files for NGIPSv, Firepower Threat Defense physical or virtual managed devices orASA FirePOWER modules. To back up event data, perform a backup of the managing Firepower Management Center.

...which confirms what you are seeing.

Re: Sorry but there's not

prashant dwivedi — Mon, 29 Jan 2018 08:42:13 GMT

Hello Marvin,

Need your help /input please.

On FTDs, we are logging traffic and sending to the external syslog server. we want to see some historical data ( logs ) to troubleshoot any issues.

We noticed FMC is only logging the traffic for last 24 hours, I have increased the database size and hopefully this will increase the data capacity.

Another issue is with sending traffic tot he external syslog server, I want to enable SYSLOG ID - 106100 with logging level as "informaitonal" , idea behind this is to get a log whenever there is any deined traffic at access control policy. however, I am getting error while pushing the policy once have 106100 enabled. Please advise how we could do this in FTD? I have tried using Flexconfig however found the same issue.

in suammry - we want to have logs at Syslog server , need to know if a traffic is being denied by ACEs , need to the rule that is dropping the traffic.

Thanks

Re: Sorry but there's not

Jeffrey Jones — Tue, 27 Feb 2018 21:21:54 GMT

I find it strange that cisco is not working on sort of viewer like we had on the ASA for the FTD, and for the FMC.

someone from cisco needs to respond to this thread.

Re: Sorry but there's not

James_1 — Mon, 07 May 2018 18:53:35 GMT

Im with you, This is unacceptable.

I'll bring this up to my local reps and see what the response is.

Re: Sorry but there's not

floulourgas — Fri, 06 Jul 2018 06:23:10 GMT

Any updates on this?

Re: Sorry but there's not

michaellperrin — Mon, 09 Jul 2018 12:42:22 GMT

You can use the capture command on the CLI of the device same as the ASA.

Example

Capture in interface inside match ip 192.168.1.0 255.255.255.0 any

The use the show capture command to see.

Re: Sorry but there's not

CiscoBrownBelt — Fri, 20 Oct 2023 13:43:55 GMT

Hi Marvin what is the best way to view just blocked events or logs? I don't see a parameter under Analysis>Events tab or way under Syslog when viewing on FMC

Re: Sorry but there's not

James_1 — Fri, 20 Oct 2023 14:58:26 GMT

When your in the Events window. Click on "Edit search". Then in General Information Type "Block" in the Action field.
Then Click "Search". That'll show you all the Blocks that are being logged.

Re: Sorry but there's not

AViftrup — Fri, 20 Oct 2023 15:57:10 GMT

You bumped an old topic.

However since the creation of this topic, things has changed. In recent releases (7.0+ or 7.1+) Unified Events was introduced with the function "Live View" which essentially is a real-time logging (there is a minor delay, but its a few seconds in worst case)
This still requires logging at start of end of connection to be present and forwarded for the FMC events of course.

Re: Sorry but there's not

James_1 — Fri, 20 Oct 2023 17:12:50 GMT

I responded to a question from CiscoPurpleBelt from earlier today.....

However since you brought it up, could you kindly point us in the right direction with some links?

I found some links about the Live View.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/analysis-unified-events.html