we need to collect FTD configuration changes logs in SIEM, which are mainly performed via FMC.
On ASA we are just collecting 111010 syslog messages, but on FTD's no 111010 messages are sent, only 111008 and in each log the username is enable_1.
We enabled "Send Audit Log to Syslog" in FMC, but no configuration changes details are sent, only "Login/Logout, Page view, Save policy, Deploy policy".
is this make sense to send policy Logs to Syslog server or you looking after policy push from FMC to FTD?
here is some config I do with Tuffin hope this help you.
This is already done, we are receiving syslogs from FTD devices, but they do not contain the users who performed the changes.
We are after the policy changes on FTD devices, performed through FMC, containing usernames.
how about configuring FMC
system --> audit log --- Send Audit Log to Syslog
Already done that, as stated in the initial post, but no configuration details there, only Login/Logout, Page accessed...