SecureX FMC and ESA not reporting logs

laurathaqi · ‎12-13-2021

Dear community,

I have registered WSA, FTD and ESA in SecureX. WSA is reporting logs, meanwhile FMC and ESA are not. TAC Case is open, however they are delaying on their answers and thus, so far no solution.

Note: The API on the Management Interface of ESA is enabled.

Do you have any idea what could be the issue!?

Thank you,

Laura

ben.greenbaum · ‎12-17-2021

Regarding TAC "delaying" their answers, please understand that between log4j and half the cloud going down over the past few weeks, TAC is experiencing "unusually high call volumes" as the machines used to say...

When you say that FMC is not reporting logs, what does that mean? Are there events in FMC that you would expect to see in SSE but do not? Are you not getting the results you expect in Threat Response investigations? Etc.

laurathaqi · ‎12-20-2021

Hi @ben.greenbaum

Thank you for your feedback!

There are events in FMC that I would expect to see in SSE but there is no events in SSE, this leading to no events in SecureX also.

Looking forward to any suggestions on how to troubleshoot this issue.

Best regards,

Laura

ben.greenbaum · ‎12-20-2021

Then either your integration is not working correctly, OR you haven't had any events that meet the criteria for upload. IF you are using CSSP, that is a smaller set that what is supported via a direct connection.

Are you connecting via CSSP, or direct? What version of software is on the FMC, and on the devices?
I'm not TAC and will not be able to drive this with the level of support you would get from your existing case, but that's where I would start. Find out why the events aren't showing up. Check your version, your configuration, and your settings.