Solved: Re: FirePOWER Connection Event Data via Syslog

reheindel · ‎01-28-2020

We are testing sending connection event data from our managed devices to our SIEM via syslog - rather than using the estreamer solution (long story).

In brief testing I noticed that I don't get some enhanced data - (initiator country for example) in the connection event via syslog.

Is this a limitation in sending via syslog?

FMC & Managed devices: 6.4.0.7

Note: I have only tested on a legacy FirePOWER device - not the newer 2100/4100 platforms.

Thanks in advance for your response!

Bob

nspasov · ‎01-28-2020

Hi Bob-

Yes, this is the expected behavior. Some information/data is not going to be available with events sent via syslog and one of those is Geolocation. For more information and details on this, you can reference the FMC's configuration guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/analyze_events_using_external_tools.html#id_85387

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎01-28-2020

Hi Bob-

Yes, this is the expected behavior. Some information/data is not going to be available with events sent via syslog and one of those is Geolocation. For more information and details on this, you can reference the FMC's configuration guide:

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/analyze_events_using_external_tools.html#id_85387

I hope this helps!

Thank you for rating helpful posts!

reheindel · ‎02-06-2020

Ok, that's disappointing but I appreciate the response.

Bob