Solved: Firepower Audit Logs

Daniel Stefani · ‎05-19-2017

Hello,

Could you help me with interpretation about the follow Audit Logs? Why admin user did a Policy Deployment with Source IP 127.0.0.1 ?

        Time                User           Subsystem     Message                                                       Source IP

       2017-05-17 20:55:02   System           Task Queue   Successful task completion : Policy Deployment to Firepower-2   localhost
       2017-05-17 20:54:58   csm_processes   Login       Login Success   Default User IP
       2017-05-17 20:54:58   admin           Policy Deploy > Policy Deployment > <XXXXXX> success                       127.0.0.1
       2017-05-17 20:54:46   System           Task Queue   Successful task completion : Policy Deployment to Firepower-1   localhost
       2017-05-17 20:54:43   csm_processes   Login   Login Success                                                       Default User IP
       2017-05-17 20:54:43   admin           Policy Deploy > Policy Deployment > <XXXXXXXX>   success                       127.0.0.1
       2017-05-17 20:53:04   csm_processes   Login   Login Success                                                       Default User IP
       2017-05-17 20:53:03   csm_processes   Login   Login Success                                                       Default User IP
       2017-05-17 20:53:01   csm_processes   Login   Login Success                                                       Default User IP
       2017-05-17 20:53:01   System           Task Queue   Successful task completion : Pre-deploy Device Configuration for Firepower-1   localhost
       2017-05-17 20:53:00   csm_processes   Login   Login Success                                                       Default User IP
       2017-05-17 20:53:00   System           Task Queue   Successful task completion : Pre-deploy Device Configuration for Firepower-2   localhost
       2017-05-17 20:52:51   csm_processes   Login   Login Success                                                       Default User IP
       2017-05-17 20:52:51   System           Task Queue   Successful task completion : Pre-deploy Global Configuration Generation   localhost
       2017-05-17 20:52:24   csm_processes   Login   Login Success                                                       Default User IP

Best Regards,

Daniel Stefani

Marvin Rhoads · ‎05-22-2017

127.0.0.1 is another way of saying localhost (the FMC itself).

Any scheduled tasks or recurring tasks will show that they are done by admin from locahost. For instance if you have set the FMC to automatically download and deploy rule updates, they would show up thus.

View solution in original post

Veronika Klauzova · ‎05-22-2017

Hello Daniel,

I do believe that this is due to the fact that anything that is pushed from user's activity to Task Status aka Task Queue is being reinserted by admin user from localhost IP, as FMC itself will be pushing action down to sensor from it's own internal IP/localhost. This request will not flow from user's PC IP address.

Best regards,

Veronika

Marvin Rhoads · ‎05-22-2017

127.0.0.1 is another way of saying localhost (the FMC itself).

Any scheduled tasks or recurring tasks will show that they are done by admin from locahost. For instance if you have set the FMC to automatically download and deploy rule updates, they would show up thus.

Daniel Stefani · ‎05-22-2017

Hello Marvin,

Thanks.

We have an scheduled task to do Update URL Filtering Database.

Best Regards,

Daniel Stefani

securek2021 · ‎07-23-2024

Where can I find this option to view the login audit logs for the Firepower 5120?