Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5910
Views
0
Helpful
8
Replies

AMP Logs in ESA to Syslog Server

Pravar
Level 1
Level 1

‎04-12-2017 06:29 AM

Hi,

Any document or reference available on how to configure AMP logs from ESA C680 appliance to a syslog host. 

Labels:
0 Helpful
8 Replies 8

Libin Varghese
Cisco Employee
Cisco Employee

‎04-12-2017 06:43 AM

Hi,

AMP engine logs currently do not have an option for syslog push and is being tracked under the below feature request.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb81013/?reffering_site=dumpcr

Available options are scp and ftp.

Steps for configuring SCP should match the below article:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200985-Configuring-SCP-push-of-mail-logs-on-ESA.html

Thank You!

Libin Varghese

0 Helpful

Pravar
Level 1
Level 1
In response to Libin Varghese

‎04-13-2017 01:26 AM

Hi Libin,

Thanks. However the option is now available with the version 10.0.0-083 that is currently running on our appliances. However, we are looking for the logs of File Reputation and File Analysis (sent to ThreatGrid cloud) and its verdict to a Syslog host. Is it possible?

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to Pravar

‎04-13-2017 05:01 AM

Yes, as the option is available in the newer release you can configure AMP logs to be pushed to the syslog server.

This would contain information and logs on file reputation, file analysis query and verdicts.

For configuration steps on the ESA refer to the user guide provided by Dennis.

- Libin V 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-12-2017 08:19 AM

hi ...fyi ..these Logs are always available via HTTP(S) download.

0 Helpful

dmccabej
Cisco Employee
Cisco Employee

‎04-12-2017 08:24 AM

Hello,

Syslog functionality for AMP logs has been added as of 10.0.1-087.

For steps on setup, you can review the User Guide information, here.

Thanks!

-Dennis M.

0 Helpful

Sriram Subramanian
Cisco Employee
Cisco Employee

‎04-12-2017 09:04 AM

Hello Deiva,

Please follow these directions to create a new log subscription for AMP from the Cisco User Guide:

Creating a Log Subscription in the GUI

Procedure
Step 1 Choose System Administration > Log Subscriptions.
Step 2 Click Add Log Subscription.
Step 3 Select a log type and enter the log name (for the log directory) as well as the name for the log file itself.
Step 4 Specify the maximum file size before AsyncOS rolls over the log file as well as a time interval between
rollovers. See Rolling Over Log Subscriptions, page 39-48 for more information on rolling over log files.
Step 5 Select the log level. The available options are Critical, Warning, Information, Debug, or Trace.
Step 6 Configure the log retrieval method.
Step 7 Submit and commit your changes.

0 Helpful

Advisable
Level 1
Level 1

‎11-15-2017 10:27 AM

I have similar issue on Firepower where i am not able to push AMP Syslog to SIEM tool. This article is written for ESA and i would like to know if this is a known issue for Firepower 4000 (version 6.0.1)

 

 

 
0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to Advisable

‎11-15-2017 06:21 PM

I would recommend posting the query to Firepower support forums to see if someone more familiar with that product can answer. 

 

- Libin V

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents