取消
显示结果 
搜索替代 
您的意思是: 
cancel
公告

December 2020

December 2020

950
查看次数
0
有帮助
4
回复
yanqiang
Beginner

firepower intrusion日志如何发送到syslog server

 
1 个已接受解答

已接受的解答
ilay
Rising star

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/external_alerting_for_intrusion_events.html#ID-2212-000001bf

参考上面的链接中“Configuring Syslog Alerting for Intrusion Events”部分配置即可。(FMC v6.6)

==================↑

1> In the intrusion policy editor's navigation pane, click Advanced Settings.

2> Make sure Syslog Alerting is Enabled, then click Edit.

     A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings.
3> Enter the IP addresses of the Logging Hosts where you want to send syslog alerts.

    If you leave the Logging Hosts field blank, the logging hosts details are taken from Logging in the associated Access Control Policy.

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.

4> Choose Facility and Severity levels as described in Facilities and Severities for Intrusion Syslog Alerts.

5> To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

6> Deploy to devices

==================

fmc-2.pngfmc-3.pngfmc-4.png

 

ASA等带Firepower模块的设备参考下面链接使用ASDM进行配置即可:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo.html#anc12

 

在原帖中查看解决方案

4 条回复4
ilay
Rising star

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/external_alerting_for_intrusion_events.html#ID-2212-000001bf

参考上面的链接中“Configuring Syslog Alerting for Intrusion Events”部分配置即可。(FMC v6.6)

==================↑

1> In the intrusion policy editor's navigation pane, click Advanced Settings.

2> Make sure Syslog Alerting is Enabled, then click Edit.

     A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings.
3> Enter the IP addresses of the Logging Hosts where you want to send syslog alerts.

    If you leave the Logging Hosts field blank, the logging hosts details are taken from Logging in the associated Access Control Policy.

The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments.

4> Choose Facility and Severity levels as described in Facilities and Severities for Intrusion Syslog Alerts.

5> To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

6> Deploy to devices

==================

fmc-2.pngfmc-3.pngfmc-4.png

 

ASA等带Firepower模块的设备参考下面链接使用ASDM进行配置即可:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo.html#anc12

 

在原帖中查看解决方案

十分感谢,按照你提供的步骤,已经解决问题了

ilay
Rising star

不用客气,问题解决了就好~

Rps-Cheers
Rising star

如下操作您看是否有帮助:

Configuring an Output Destination

 

Step 1. Syslog Server Configuration 

To configure a Syslog Server for traffic events, Navigate to Configuration > ASA Firepower Configuration > Policies > Actions Alerts  and click the Create Alert drop-down menu and choose option Create Syslog Alert. Enter the values for the Syslog server.

Name:  Specify the name which uniquely identifies the Syslog server.

Host:  Specify the IP address/hostname of Syslog server.

Port:  Specify the port number of Syslog server.

Facility:  Select any facility  that is configured on your Syslog server.

Severity:  Select any Severity that is configured on your Syslog server.

Tag:  Specify tag name that you want to appear with the Syslog message.

图像_2021-07-12_210004.png

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo.html#anc7

 

Configuring Syslog Alerting for Intrusion Events

After you enable syslog alerting in an intrusion policy, the system sends all intrusion events to the syslog,
either on the managed device itself or to an external host or hosts. If you specify an external host, syslog alerts
are sent from the managed device.

图像_2021-07-12_220723.png

Procedure
Step 1 In the intrusion policy editor's navigation pane, click Advanced Settings.
Step 2 Make sure Syslog Alerting is Enabled, then click Edit.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The
Syslog Alerting page is added under Advanced Settings.
Step 3 Enter the IP addresses of the Logging Hosts where you want to send syslog alerts.
If you leave this field blank, the managed device logs intrusion events using its own syslog facility.
The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal
IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects
allows descendant domain administrators to tailor Global configurations to their local environments.
Step 4 Choose Facility and Priority levels as described in Facilities and Priorities for Intrusion Syslog Alerts, on
page 4.
Step 5 To save changes you made in this policy since the last policy commit, choose Policy Information, then click
Commit Changes.
If you leave the policy without committing changes, changes since the last commit are discarded if you edit
a different policy.
What to do next
• Deploy configuration changes; see Deploy Configuration Changes.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/external_alerting_for_intrusion_events.pdf

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !