04-12-2017 06:29 AM
Hi,
Any document or reference available on how to configure AMP logs from ESA C680 appliance to a syslog host.
04-12-2017 06:43 AM
Hi,
AMP engine logs currently do not have an option for syslog push and is being tracked under the below feature request.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb81013/?reffering_site=dumpcr
Available options are scp and ftp.
Steps for configuring SCP should match the below article:
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200985-Configuring-SCP-push-of-mail-logs-on-ESA.html
Thank You!
Libin Varghese
04-13-2017 01:26 AM
Hi Libin,
Thanks. However the option is now available with the version 10.0.0-083 that is currently running on our appliances. However, we are looking for the logs of File Reputation and File Analysis (sent to ThreatGrid cloud) and its verdict to a Syslog host. Is it possible?
04-13-2017 05:01 AM
Yes, as the option is available in the newer release you can configure AMP logs to be pushed to the syslog server.
This would contain information and logs on file reputation, file analysis query and verdicts.
For configuration steps on the ESA refer to the user guide provided by Dennis.
- Libin V
04-12-2017 08:19 AM
hi ...fyi ..these Logs are always available via HTTP(S) download.
04-12-2017 08:24 AM
Hello,
Syslog functionality for AMP logs has been added as of 10.0.1-087.
For steps on setup, you can review the User Guide information, here.
Thanks!
-Dennis M.
04-12-2017 09:04 AM
Hello Deiva,
Please follow these directions to create a new log subscription for AMP from the Cisco User Guide:
Creating a Log Subscription in the GUI
Procedure
Step 1 Choose System Administration > Log Subscriptions.
Step 2 Click Add Log Subscription.
Step 3 Select a log type and enter the log name (for the log directory) as well as the name for the log file itself.
Step 4 Specify the maximum file size before AsyncOS rolls over the log file as well as a time interval between
rollovers. See Rolling Over Log Subscriptions, page 39-48 for more information on rolling over log files.
Step 5 Select the log level. The available options are Critical, Warning, Information, Debug, or Trace.
Step 6 Configure the log retrieval method.
Step 7 Submit and commit your changes.
11-15-2017 10:27 AM
I have similar issue on Firepower where i am not able to push AMP Syslog to SIEM tool. This article is written for ESA and i would like to know if this is a known issue for Firepower 4000 (version 6.0.1)
11-15-2017 06:21 PM
I would recommend posting the query to Firepower support forums to see if someone more familiar with that product can answer.
- Libin V
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide