collection of FTD configuration changes in SIEM

borutlape · ‎07-03-2020

Hi,

we need to collect FTD configuration changes logs in SIEM, which are mainly performed via FMC.
On ASA we are just collecting 111010 syslog messages, but on FTD's no 111010 messages are sent, only 111008 and in each log the username is enable_1.

We enabled "Send Audit Log to Syslog" in FMC, but no configuration changes details are sent, only "Login/Logout, Page view, Save policy, Deploy policy".

Any suggestions?

Regards,
Borut

balaji.bandi · ‎07-03-2020

is this make sense to send policy Logs to Syslog server or you looking after policy push from FMC to FTD?

here is some config I do with Tuffin hope this help you.

https://forum.tufin.com/support/kc/latest/Content/Suite/12108.htm

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

borutlape · ‎07-06-2020

This is already done, we are receiving syslogs from FTD devices, but they do not contain the users who performed the changes.

We are after the policy changes on FTD devices, performed through FMC, containing usernames.

balaji.bandi · ‎07-06-2020

how about configuring FMC

system --> audit log --- Send Audit Log to Syslog

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

borutlape · ‎07-07-2020

Already done that, as stated in the initial post, but no configuration details there, only Login/Logout, Page accessed...

balaji.bandi · ‎07-07-2020

Can you post the screenshot which was configured.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

borutlape · ‎07-08-2020

bergonzoni · ‎08-06-2022

Hi,

I have the same need and the same limitation but with Firepower 7.0 version.

Do you have any update?

Regards

Marco

borutlape · ‎08-08-2022

Hi Marco,

Unfortunately, no progress ☹

The only way to find who did what changes is to manually correlate audit logs from FMC (policy save/apply) and configuration logs 111008 from user “config”.

Regards,

Borut