topic Re: SourceFire - External Syslog logging in Network Security

SourceFire - External Syslog logging

True Warrior — Fri, 21 Feb 2020 14:57:35 GMT

Hello All,

Currently we have a customer who has SourceFire v4.10 and would like to configure the SourceFire devices to send syslog alerts to a syslog server. I have checked the Advanced Settings of the IPS Policy and there is no option to define if the syslog alerting should be done via TCP or UDP. Do you know if TCP syslog logging is supported by SourceFire devices.

Re: SourceFire - External Syslog logging

Marius Gunnerud — Thu, 28 Dec 2017 20:24:39 GMT

SourceFire is able to log using TCP. You are however using a very old version of Firepower so I am not certain what is supported on that version.

However, in FMC you need to go to Devices > Platform Settings and create a platform settings policy. In platform settings policy go to syslog and there under the Syslog Servers tab you can add an external syslog server and choose to use either TCP or UDP.

FYI: For us the FTD sends quite a bit of extra logs, so we had to rate limit the logs for the syslog server to start receiving the logs.

Re: SourceFire - External Syslog logging

True Warrior — Mon, 01 Jan 2018 11:14:56 GMT

Hi,

I already have a System Policy under Platform Settings and under Audit Log, there isn't an option either to select UDP or TCP, the system by default uses UDP/514.

Also I was looking for syslog logging via TCP for the intrusion policy but the Audit Log under Platform Settings is going to send the audit logs of the Operating System.

I have created a syslog alert in intrusion policy but there is no where in the system (FMC or managed device) to pick TCP or UDP logging as the default syslog logging of UDP/514 is used.

Re: SourceFire - External Syslog logging

Marius Gunnerud — Mon, 01 Jan 2018 12:02:15 GMT

Re: SourceFire - External Syslog logging

True Warrior — Mon, 01 Jan 2018 12:35:13 GMT

Thanks for this, but these aren't FTD devices, they are just FirePower 7000 and 8000 series devices. Can a FTD System Policy still work for just FirePower devices?

Re: SourceFire - External Syslog logging

Marius Gunnerud — Mon, 01 Jan 2018 12:53:51 GMT

Yes this will work also for FirePower. When creating the policy you click New Policy and then select Firepower Settings for FirePower, For FTD you would select Threat Defense Settings.

Re: SourceFire - External Syslog logging

True Warrior — Mon, 01 Jan 2018 12:59:28 GMT

Hi,

I guess this is what my issue is, creating a FirePower Settings policy doesn't provide the syslog logging for TCP, please check the attached screenshot that I created for one of the FirePower Settings and under audit log settings, I don't have the option to select TCP or UDP so I would assume that its available only for FTD image and not for FirePower only image.

Re: SourceFire - External Syslog logging

Marius Gunnerud — Mon, 01 Jan 2018 13:15:31 GMT

Have you considered upgrading your FirePower software? You are running a very old version and that might be the reason you are not seeing the syslog option in the platform settings policy.

Re: SourceFire - External Syslog logging

True Warrior — Mon, 01 Jan 2018 13:59:23 GMT

The screenshot that I provided is from v6.2.2 but the question was posted for v4. I don't think this option doesn't exists for FirePower but only for FTD.