Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5959
Views
4
Helpful
9
Replies

CLI command to extract IPS event logs from Firepower Sensor

Mady
Level 4
Level 4

‎10-26-2016 05:38 PM - edited ‎03-12-2019 06:10 AM

Hi,

Please help me extract the " Connection Events", "Security Intelligence Events", "Malware Events" and "IPS Events" from sensor via CLI. Hope you can provide me the command. I need this for our network audit activity.

Thank you in advance.

Regards,

Mady

Labels:
0 Helpful
9 Replies 9

Oliver Kaiser
Level 7
Level 7

‎10-27-2016 11:34 AM

Events are being stored on FMC in a MySQL database. The schema is documented here.

There is an option on FMC to permit remote database access so you could just use MySQL Workstation and build some sql queries to get the event data you are looking for.

Another option would be configuring syslog forwarding on fmc which might be the easier solution. 

Let me know if you need further assistance

Mady
Level 4
Level 4
In response to Oliver Kaiser

‎10-27-2016 05:20 PM

Hi ok0000007,

Thank you for your response. So there is no way to get the logs from IPS directly?

Regards,

Mady

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mady

‎10-28-2016 12:26 AM

There is no documented / supported way to do this via DB. I have checked the sensor db scheme and could not find the appropriate event tables.

Is there a reason for not polling Firepower Management Center?

0 Helpful

Mady
Level 4
Level 4
In response to Oliver Kaiser

‎10-28-2016 12:35 AM

If we configure the syslog, can we get all the connection logs or IPS logs from sensor?

we wanted to get the logs from past weeks or months, that's why we're looking for the commands to get it directly from the sensor.

Also, if we issue show disk-manager there are connection events and IPS events, so I am wondering if we could get the logs from there.

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mady

‎10-28-2016 01:02 AM

Connection logs for several weeks/months wont be possible imo. I have checked disk-manager on FTD 6.1 and there are no connection events logged. In case your platform logs connection logs directly to the sensor they will most likely get rotated pretty fast since the max event storage will fill up

Snort events are indeed logged on disk. If you want to check the files you have to locate the following files using bash on the sensor...

snort-unified.alert

snort-unified.log

e.g.

> expert

admin@firepower:/home/admin# sudo su -

root@firepower:/home/admin# updatedb

root@firepower:/home/admin# locate snort-unified.alert

If you want to check the connection logs you have to find the configuration file for diskmanager at /etc/sf/diskmanager.conf and locate the logfile name.

For the future I would recommand logging FMC alerts to syslog and forwarding connection events to syslog for longterm data collection.

p.s Enabling syslog now will only send new events to your syslog server.

0 Helpful

Mady
Level 4
Level 4
In response to Oliver Kaiser

‎10-28-2016 01:03 AM

attached here sample show disk-manager. would you know the logfile name and how can I retrieve it?

Preview file
39 KB
0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mady

‎10-28-2016 02:00 AM

Hi Mady

I have documented the procedure for locating the ips events. You may want to check the file using cat or vi and if it matches what you are looking for use scp to copy it to another system.

I checked the connection logs on a firepower module and could only locate bogus data referencing IDs. You might want to open a TAC case to get the data in a useable format via a query. 

0 Helpful

Mady
Level 4
Level 4
In response to Oliver Kaiser

‎10-28-2016 02:32 AM

Hi, Thank you very much. You are really helpful. Can you give me some sommands on how can I find the logs file i needed? Also, I already opened Cisco TAC but they are still in the process on checking the documents to extract the logs that I needed. You answer much quicker than them :) You must be a TAC engineer too. Regards, Mady
0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mady

‎10-29-2016 02:36 AM

According to diskmanager.conf the connection events are only stored in a shared memory segment which includes a non human readable event log, so extracting historical data from sensor wont be feasable imo.

As for the ips events they are located in /var/sf/detection_engine. For finding the complete path you may use the commands i posted earlier to search for the specific files.

1. Change to linux shell

> expert

2. Change user to root (admin password required!)

admin@firepower:/home/admin# sudo su -

3. Update mlocate file database

root@firepower:/home/admin# updatedb

4. Search for file with name snort-unified.alert

root@firepower:/home/admin# locate snort-unified.alert

5. Read file using more

root@firepower:/home/admin# more <filepath_of_snort-unified.alert>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card