cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

498
Views
0
Helpful
6
Replies
Highlighted
Beginner

collection of FTD configuration changes in SIEM

Hi,

 

we need to collect FTD configuration changes logs in SIEM, which are mainly performed via FMC.
On ASA we are just collecting 111010 syslog messages, but on FTD's no 111010 messages are sent, only 111008 and in each log the username is enable_1.

We enabled "Send Audit Log to Syslog" in FMC, but no configuration changes details are sent, only "Login/Logout, Page view, Save policy, Deploy policy".

 

Any suggestions?

 

Regards,
Borut

 

6 REPLIES 6
Highlighted
VIP Mentor

Re: collection of FTD configuration changes in SIEM

is this make sense to send policy Logs to Syslog server or you looking after policy push from FMC to FTD?

 

here is some config I do with Tuffin hope this help you.

 

https://forum.tufin.com/support/kc/latest/Content/Suite/12108.htm

 

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: collection of FTD configuration changes in SIEM

This is already done, we are receiving syslogs from FTD devices, but they do not contain the users who performed the changes.

 

We are after the policy changes on FTD devices, performed through FMC, containing usernames.

Highlighted
VIP Mentor

Re: collection of FTD configuration changes in SIEM

how about configuring FMC

 

system --> audit log --- Send Audit Log to Syslog

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: collection of FTD configuration changes in SIEM

Already done that, as stated in the initial post, but no configuration details there, only Login/Logout, Page accessed...

Highlighted
VIP Mentor

Re: collection of FTD configuration changes in SIEM

Can you post the screenshot which was configured.

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: collection of FTD configuration changes in SIEM

Audit Log.PNG