Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
3
Replies

Cisco FTD:Looking for Security Specific logs relevant for OCSF mapping

meenal-singh
Level 1
Level 1

‎12-05-2025 12:44 AM - last edited on ‎12-05-2025 01:44 AM by Cisco Employee

I am looking at the Cisco FTD platform logs, and we are trying to convert the logs to OCSF format.

We want to focus on security relevant events, according to the guide there are only 5 syslog messages which are security relevant - https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/fptd_syslog_guide/security-event-syslog-messages.html
Need to understand if we need to consider more events from the range 1000000 to 8000000 which would be appropriate for OCSF transformation.

Any guidance is appreciated. Thanks!

0 Helpful
3 Replies 3

Cristian Matei
VIP Alumni
VIP Alumni

‎12-08-2025 11:34 PM

Hi,

   There is quite a significant number of syslog messages which are security relevant, why would there be so many on a security platform if it wouldn't be security relevant? You would need to pick and choose the ones that you need to meet your goal, at the end of the day.

Thanks,

Cristian.

   

0 Helpful

meenal-singh
Level 1
Level 1
In response to Cristian Matei

‎12-09-2025 01:03 AM - edited ‎12-09-2025 01:04 AM

Thanks for the reply, I see that there are various severity levels. The only way to get the severity is by the number followed by FTD, for example - %FTD-1-101001 has severity level 1

Is this understanding correct? Basis this string we can pick high and low severity events? Is there any other field that indicates severity/ criticality?

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to meenal-singh

‎12-09-2025 03:35 AM

Hi,

    Your statement is correct, e.g "%FTD-1-101001" means it is an FTD log with severity of 1 (the lower the value, the more sever the condition) and message number / identifier of 101001. The severity level is / has been defined by Cisco, so it doesn't mean that a severity level of 6 is of low severity from your perspective, e.g take a look on logging message "%FTD-4-711002" with a severity level of 4 where the event is an actual traceback event; traceback events are something you would want to take seriously into consideration. But yes, in general, you can rely on the severity levels as defined by Cisco.

 If you enable EMBLEM syslog format, the syslog message structure changes, and a new filed named PRI / priority is prepended the message, this priority representing facility and severity of the event; see RFC5424 to understand how this value is computed: https://www.rfc-editor.org/rfc/rfc5424.html

 There are no other fields that would represent a severity level.

Thanks,

Cristian.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card