01-04-2025 03:17 AM
I am currently using Cisco Firepower Management Center (FMC) and would like to collect logs that include detailed information about users' requested URLs and send them to a central syslog server for analysis.
Here are my specific requirements and questions:
Any guidance, including examples of syslog configurations, FMC policies, or integration tips, would be greatly appreciated.
Solved! Go to Solution.
01-06-2025 07:24 PM
When we setup an Access Control Policy rule to send syslog events, it is the managed FTD device actually sending its view of the traffic the the syslog server. That is why we only see a subset of what you can see in FMC itself. The FMC view is enriched by context it retrieves from other sources such as Identity from ISE, URL from analysis of the packets, etc. That enriched set of information is not directly exportable to a syslog server from FMC.
Here you can see what an FTD device sends to syslog in the case of a DNS lookup - that is the only time we see the FQDN from a syslog event since it is part of the event. Subsequent connections (and any syslog event associated with them) will just use the IP address and that is what will be seen in a syslog event for that traffic.
%FTD-6-430003: EventPriority: Low, DeviceUUID: f35fbf2c-a28c-11ef-8f3e-91c8635f9d10, InstanceID: 1, FirstPacketSecond: 2025-01-07T03:16:18Z, ConnectionID: 538, AccessControlRuleAction: Allow, SrcIP: 172.31.1.31, DstIP: 8.8.8.8, SrcPort: 58951, DstPort: 53, Protocol: udp, IngressInterface: Inside-Lab, EgressInterface: Outside-Home, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Lab_ACP, AccessControlRuleName: Lab-Outside, Prefilter Policy: Default Prefilter Policy, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 248, NAPPolicy: Balanced Security and Connectivity, DNSQuery: dt-external-217593033.us-east-1.elb.amazonaws.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 37, ReferencedHost: dt-external-217593033.us-east-1.elb.amazonaws.com, NAT_InitiatorPort: 58951, NAT_ResponderPort: 53, NAT_InitiatorIP: 192.168.0.204, NAT_ResponderIP: 8.8.8.8, ClientAppDetector: AppID, InspectedPacketCount: 2, InspectionMicroseconds: 558
01-04-2025 05:12 AM
01-05-2025 08:54 PM
Hi there, thanks for replying, I think you got it wrong, the problem isn't about parsing logs, the problem is that my raw logs doesn't include any URL field.
01-06-2025 07:24 PM
When we setup an Access Control Policy rule to send syslog events, it is the managed FTD device actually sending its view of the traffic the the syslog server. That is why we only see a subset of what you can see in FMC itself. The FMC view is enriched by context it retrieves from other sources such as Identity from ISE, URL from analysis of the packets, etc. That enriched set of information is not directly exportable to a syslog server from FMC.
Here you can see what an FTD device sends to syslog in the case of a DNS lookup - that is the only time we see the FQDN from a syslog event since it is part of the event. Subsequent connections (and any syslog event associated with them) will just use the IP address and that is what will be seen in a syslog event for that traffic.
%FTD-6-430003: EventPriority: Low, DeviceUUID: f35fbf2c-a28c-11ef-8f3e-91c8635f9d10, InstanceID: 1, FirstPacketSecond: 2025-01-07T03:16:18Z, ConnectionID: 538, AccessControlRuleAction: Allow, SrcIP: 172.31.1.31, DstIP: 8.8.8.8, SrcPort: 58951, DstPort: 53, Protocol: udp, IngressInterface: Inside-Lab, EgressInterface: Outside-Home, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Lab_ACP, AccessControlRuleName: Lab-Outside, Prefilter Policy: Default Prefilter Policy, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 248, NAPPolicy: Balanced Security and Connectivity, DNSQuery: dt-external-217593033.us-east-1.elb.amazonaws.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 37, ReferencedHost: dt-external-217593033.us-east-1.elb.amazonaws.com, NAT_InitiatorPort: 58951, NAT_ResponderPort: 53, NAT_InitiatorIP: 192.168.0.204, NAT_ResponderIP: 8.8.8.8, ClientAppDetector: AppID, InspectedPacketCount: 2, InspectionMicroseconds: 558
01-08-2025 02:12 AM
Thanks for your clarification, Is there anyway to config FTD to include FQDN in syslog output?
01-08-2025 04:51 AM
No, not to the best of my knowledge.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide