Solved: Thank you for your quick

Jacob Jacobson · ‎06-14-2016

Hi,

I'm looking into to export the connection -> events from Firesight to another host.

What would be the best way to do this? I can not find any clear option in the GUI to export the information.

Is this information in mysql or can it be found in a plaintext file on the Sourcefirehost that can be copied to another host?

Or can we configure the Sourcefire to send syslog for every connection event to another syslog host?

We would like to save the information for 3 month+ but unfortunatly atm the log is about 24 hour.

Regards,

//Jacob

ankojha · ‎06-15-2016

Hi Jacob, The access control policy has logging option so if a traffic hits a particular rule in which logging is enabled and it is also set to send the logs to Syslog.

You will be able to see all sort of user traffic on the Syslog no matter whether it is exploit traffic or normal traffic,

Mark it as correct if it helped in resolving your query.

thanks

ankita

View solution in original post

ankojha · ‎06-14-2016

Hi Jacob,

We can configure firesight to send connection events to syslog server.

You can refer the document below for the same :

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html

Rate if it helps.

Thanks,

Ankita

Jacob Jacobson · ‎06-15-2016

Thank you for your quick answer!

When I check this documentation I understand it as that this option will be logging exploits attempts from this policy match to a syslog server.

What we would like to log is actual user traffic to allowed and denied sites.

Like the information found when I go to Analysis->Connections->event

Or, do I missunderstand the documentation above, will it accomplish this?

ankojha · ‎06-15-2016