Solved: How to setting Cisco Estreamer Severity Log?

zaki-almustafa · ‎05-06-2024

My name is Zake and i want to ask how to setting severity in Cisco Estream, i use Cisco Firepower 3120 and want ingest log to Azure Sentinel. I was successfull to ingest log but there is too much log i got, when i see there is too much information severity level.

What i already do is change in estreamer.conf, when the default level is "INFO"

"logging": {
        "@comment": "Levels include FATAL, ERROR, WARNING, INFO, DEBUG, VERBOSE and TRACE",
        "level": "INFO",
        "format": "%(asctime)s %(name)-12s %(levelname)-8s %(message)s",
        "stdOut": true,
        "filepath": "estreamer.log"
    },

I was changed it to "WARNING" but there is nothing happen, "INFO" severity still got ingest.

"logging": {
        "@comment": "Levels include FATAL, ERROR, WARNING, INFO, DEBUG, VERBOSE and TRACE",
        "level": "WARNING",
        "format": "%(asctime)s %(name)-12s %(levelname)-8s %(message)s",
        "stdOut": true,
        "filepath": "estreamer.log"
    },

I got wrong way or i need to setting in different way ? Could you help me ?

adrian_iovita · ‎05-06-2024

Those options are for eStreamer app logging level and not the logs forwarded from the FMC.

You need to edit the records section of the estreamer.conf.

You have more options to exclude specific records. see documentation here on specific records:

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/api/eStreamer/EventStreamerIntegrationGuide/RNA-Records.html

for ex to exclude Connection statistics/flow use record 71 as in the example below:

"records": {
            "connections": true,
            "core": true,
            "excl@comment": [
                "These records will be excluded regardless of above (overrides 'include')",
                "e.g. to exclude flow and IPS events use [ 71, 400 ]"
            ],
            "exclude": [71],

View solution in original post

adrian_iovita · ‎05-06-2024

Those options are for eStreamer app logging level and not the logs forwarded from the FMC.

You need to edit the records section of the estreamer.conf.

You have more options to exclude specific records. see documentation here on specific records:

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/api/eStreamer/EventStreamerIntegrationGuide/RNA-Records.html

for ex to exclude Connection statistics/flow use record 71 as in the example below:

"records": {
            "connections": true,
            "core": true,
            "excl@comment": [
                "These records will be excluded regardless of above (overrides 'include')",
                "e.g. to exclude flow and IPS events use [ 71, 400 ]"
            ],
            "exclude": [71],

zaki-almustafa · ‎05-06-2024

I got confused whatever informational code except 71, already read the documentation you give me link but still confused.
Would you please give me all informational code ? i want to amke it only WARNING to CRIT severity

adrian_iovita · ‎05-07-2024

You are not able to filter based on the severity logs on the estreamer config. (like info,critical etc).

You should do this on the Azure side when you configure the Agent and Data Collection Rule.

https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama?tabs=syslog%2Cportal#run-the-installation-script

zaki-almustafa · ‎05-07-2024

Already setting minimum severity in DCR in Azure Sentinel, but log firewall still ingest informational. I mean if 71 is not too critical i can exclude that, but i need to exclude what code more except 71 ?

adrian_iovita · ‎05-07-2024

in DCR in Azure Sentinel, you also need to match both the Facility and log level. I think the facility is LOG_USER

you can use Sentinel to summarize all the events that have informational level and identify all Info logs:

use the below example:

| summarize Count=count() by name