AMP engine logs currently do not have an option for syslog push and is being tracked under the below feature request.
Available options are scp and ftp.
Steps for configuring SCP should match the below article:
Thanks. However the option is now available with the version 10.0.0-083 that is currently running on our appliances. However, we are looking for the logs of File Reputation and File Analysis (sent to ThreatGrid cloud) and its verdict to a Syslog host. Is it possible?
Yes, as the option is available in the newer release you can configure AMP logs to be pushed to the syslog server.
This would contain information and logs on file reputation, file analysis query and verdicts.
For configuration steps on the ESA refer to the user guide provided by Dennis.
- Libin V
Syslog functionality for AMP logs has been added as of 10.0.1-087.
For steps on setup, you can review the User Guide information, here.
Please follow these directions to create a new log subscription for AMP from the Cisco User Guide:
Creating a Log Subscription in the GUI
Step 1 Choose System Administration > Log Subscriptions.
Step 2 Click Add Log Subscription.
Step 3 Select a log type and enter the log name (for the log directory) as well as the name for the log file itself.
Step 4 Specify the maximum file size before AsyncOS rolls over the log file as well as a time interval between
rollovers. See Rolling Over Log Subscriptions, page 39-48 for more information on rolling over log files.
Step 5 Select the log level. The available options are Critical, Warning, Information, Debug, or Trace.
Step 6 Configure the log retrieval method.
Step 7 Submit and commit your changes.
I have similar issue on Firepower where i am not able to push AMP Syslog to SIEM tool. This article is written for ESA and i would like to know if this is a known issue for Firepower 4000 (version 6.0.1)
I would recommend posting the query to Firepower support forums to see if someone more familiar with that product can answer.
- Libin V