Can the FMC be configured to forward connection events/traffic logs

guacamoley · ‎02-12-2024

As the title asks - I'm not referring to the FTD sending traffic (I know it does), I am wondering if there is a way for the FMC to relay the connection events in its internal buffer?

I see Audit Logs allow my to forward syslog messages. I can't seem to figure it out for traffic though.

balaji.bandi · ‎02-12-2024

When creating the Access Polocy that has option to log - that you can send the logs to external.

or you looking once the logs send to FMC, from FMC you like to send all the logs to external ?

you can do from FMC platform settings to send logs to External

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎02-12-2024

https://panenka.sk/cisco-fmc-ftd-eventing/

check this link

MHM

guacamoley · ‎02-12-2024

Both these responses show the FTD sending the event traffic directly to the siem/syslog. In my example, I am wondering if the FMC can relay connection event logs directly to the siem.

tvotna · ‎02-12-2024

Not over syslog. You can send over eStreamer protocol and this is a pull model, i.e. external eStreamer client can pull connection and other events from FMC:

FTD (SNORT) -> FTD Unified File -> sftunnel -> FMC SFDataCorrelator -> FMC Database -> Pruning (Retention)
                                                      |
                                                      +----> eStreamer archive files <--- pull --- eStreamer client

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/710/management-center-admin-71/analysis-external-tools.html

MHM Cisco World · ‎02-12-2024

Are you sure fmc can send event directly to syslog ?

MHM