Solved: Collecting FMC Logs Including User-Requested URLs Through Syslog

waheh91451 · ‎01-04-2025

I am currently using Cisco Firepower Management Center (FMC) and would like to collect logs that include detailed information about users' requested URLs and send them to a central syslog server for analysis.

Here are my specific requirements and questions:

Log Details: How can I configure FMC to include details such as requested URLs, timestamps, and the action taken (e.g., allowed or blocked) in the syslog messages?
Syslog Configuration: What are the necessary steps to set up FMC to forward these logs to a syslog server?
- Is there a specific syslog facility or severity level recommended for URL-related logs?
- Do I need to configure any specific policies or logging profiles in FMC for this?
User Identity Information: How can I ensure that FMC logs include user identity information (e.g., usernames) along with URL requests?

Any guidance, including examples of syslog configurations, FMC policies, or integration tips, would be greatly appreciated.

Marvin Rhoads · ‎01-06-2025

When we setup an Access Control Policy rule to send syslog events, it is the managed FTD device actually sending its view of the traffic the the syslog server. That is why we only see a subset of what you can see in FMC itself. The FMC view is enriched by context it retrieves from other sources such as Identity from ISE, URL from analysis of the packets, etc. That enriched set of information is not directly exportable to a syslog server from FMC.

Here you can see what an FTD device sends to syslog in the case of a DNS lookup - that is the only time we see the FQDN from a syslog event since it is part of the event. Subsequent connections (and any syslog event associated with them) will just use the IP address and that is what will be seen in a syslog event for that traffic.

  %FTD-6-430003: EventPriority: Low, DeviceUUID: f35fbf2c-a28c-11ef-8f3e-91c8635f9d10, InstanceID: 1, FirstPacketSecond: 2025-01-07T03:16:18Z, ConnectionID: 538, AccessControlRuleAction: Allow, SrcIP: 172.31.1.31, DstIP: 8.8.8.8, SrcPort: 58951, DstPort: 53, Protocol: udp, IngressInterface: Inside-Lab, EgressInterface: Outside-Home, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Lab_ACP, AccessControlRuleName: Lab-Outside, Prefilter Policy: Default Prefilter Policy, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 248, NAPPolicy: Balanced Security and Connectivity, DNSQuery: dt-external-217593033.us-east-1.elb.amazonaws.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 37, ReferencedHost: dt-external-217593033.us-east-1.elb.amazonaws.com, NAT_InitiatorPort: 58951, NAT_ResponderPort: 53, NAT_InitiatorIP: 192.168.0.204, NAT_ResponderIP: 8.8.8.8, ClientAppDetector: AppID, InspectedPacketCount: 2, InspectionMicroseconds: 558

View solution in original post

MHM Cisco World · ‎01-04-2025

https://www.cisco.com/c/en/us/td/docs/security/firepower/splunk/Cisco_Firepower_App_for_Splunk_User_Guide.html <<- check this

MHM

waheh91451 · ‎01-05-2025

Hi there, thanks for replying, I think you got it wrong, the problem isn't about parsing logs, the problem is that my raw logs doesn't include any URL field.

Marvin Rhoads · ‎01-06-2025

When we setup an Access Control Policy rule to send syslog events, it is the managed FTD device actually sending its view of the traffic the the syslog server. That is why we only see a subset of what you can see in FMC itself. The FMC view is enriched by context it retrieves from other sources such as Identity from ISE, URL from analysis of the packets, etc. That enriched set of information is not directly exportable to a syslog server from FMC.

Here you can see what an FTD device sends to syslog in the case of a DNS lookup - that is the only time we see the FQDN from a syslog event since it is part of the event. Subsequent connections (and any syslog event associated with them) will just use the IP address and that is what will be seen in a syslog event for that traffic.

  %FTD-6-430003: EventPriority: Low, DeviceUUID: f35fbf2c-a28c-11ef-8f3e-91c8635f9d10, InstanceID: 1, FirstPacketSecond: 2025-01-07T03:16:18Z, ConnectionID: 538, AccessControlRuleAction: Allow, SrcIP: 172.31.1.31, DstIP: 8.8.8.8, SrcPort: 58951, DstPort: 53, Protocol: udp, IngressInterface: Inside-Lab, EgressInterface: Outside-Home, IngressZone: inside, EgressZone: outside, IngressVRF: Global, EgressVRF: Global, ACPolicy: Lab_ACP, AccessControlRuleName: Lab-Outside, Prefilter Policy: Default Prefilter Policy, Client: DNS, ApplicationProtocol: DNS, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 120, ResponderBytes: 248, NAPPolicy: Balanced Security and Connectivity, DNSQuery: dt-external-217593033.us-east-1.elb.amazonaws.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_TTL: 37, ReferencedHost: dt-external-217593033.us-east-1.elb.amazonaws.com, NAT_InitiatorPort: 58951, NAT_ResponderPort: 53, NAT_InitiatorIP: 192.168.0.204, NAT_ResponderIP: 8.8.8.8, ClientAppDetector: AppID, InspectedPacketCount: 2, InspectionMicroseconds: 558

waheh91451 · ‎01-08-2025

Thanks for your clarification, Is there anyway to config FTD to include FQDN in syslog output?

Marvin Rhoads · ‎01-08-2025

No, not to the best of my knowledge.