07-03-2020 03:34 AM - edited 07-03-2020 03:35 AM
Hi,
we need to collect FTD configuration changes logs in SIEM, which are mainly performed via FMC.
On ASA we are just collecting 111010 syslog messages, but on FTD's no 111010 messages are sent, only 111008 and in each log the username is enable_1.
We enabled "Send Audit Log to Syslog" in FMC, but no configuration changes details are sent, only "Login/Logout, Page view, Save policy, Deploy policy".
Any suggestions?
Regards,
Borut
07-03-2020 11:14 AM
is this make sense to send policy Logs to Syslog server or you looking after policy push from FMC to FTD?
here is some config I do with Tuffin hope this help you.
https://forum.tufin.com/support/kc/latest/Content/Suite/12108.htm
07-06-2020 12:52 AM
This is already done, we are receiving syslogs from FTD devices, but they do not contain the users who performed the changes.
We are after the policy changes on FTD devices, performed through FMC, containing usernames.
07-06-2020 12:09 PM
how about configuring FMC
system --> audit log --- Send Audit Log to Syslog
07-07-2020 01:03 AM
Already done that, as stated in the initial post, but no configuration details there, only Login/Logout, Page accessed...
07-07-2020 09:41 AM
Can you post the screenshot which was configured.
07-08-2020 05:01 AM - edited 07-08-2020 05:03 AM
08-06-2022 01:11 AM
Hi,
I have the same need and the same limitation but with Firepower 7.0 version.
Do you have any update?
Regards
Marco
08-08-2022 01:53 AM
Hi Marco,
Unfortunately, no progress ☹
The only way to find who did what changes is to manually correlate audit logs from FMC (policy save/apply) and configuration logs 111008 from user “config”.
Regards,
Borut
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide