cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1707
Views
10
Helpful
4
Replies

FirePower FMC Audit logs are not showing policy changes

meidanmeshulam
Beginner
Beginner

Hi all !

I'm capturing Audit logs from FMC using tcpdump, but unfortunately I do not see any access policy changes in the logs : \

I do get other logs like saving the configs etc, but when I edit the policy and add/remove/edit a rule , I get nothing on the logs.
I tried to play with it but still nothing works.

 

Shouldn't I see these changes in the logs ?

Thanks a lot !

2 Accepted Solutions

Accepted Solutions

Oliver Kaiser
Rising star
Rising star

As of Firepower 6.7 the export of audit logs (via syslog) does not include the changes that are being made to the accesspolicy, the information is only available via FMC UI (see balaji.bandi's response). There is a feature request to enhance audit logs, but I am not aware of any commited release for those enhancements.

 

Hope that helps (or atleast clarifies the status quo)

View solution in original post

There is an open enhancement request that is similar to what you would want from FMC: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp25425 - I've heard the same requirement from many customers since Firepower 6.0 that need detailed change logs for compliance reporting, but as of now there has been no release that would implement what you are looking for.

 

I would recommend opening a support case to get an enhancement request filed with Cisco, that way chances will increase that the functionality that you need will be implemented sooner.

 

 

View solution in original post

4 Replies 4

Oliver Kaiser
Rising star
Rising star

As of Firepower 6.7 the export of audit logs (via syslog) does not include the changes that are being made to the accesspolicy, the information is only available via FMC UI (see balaji.bandi's response). There is a feature request to enhance audit logs, but I am not aware of any commited release for those enhancements.

 

Hope that helps (or atleast clarifies the status quo)

@Oliver Kaiser 
Thanks for the replay : ]

 

You mentioned "as of 6.7" , do you know what's going on prior 6.7 ? policy changes will be exported to the remote syslog server ?

 


Thanks !

There is an open enhancement request that is similar to what you would want from FMC: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp25425 - I've heard the same requirement from many customers since Firepower 6.0 that need detailed change logs for compliance reporting, but as of now there has been no release that would implement what you are looking for.

 

I would recommend opening a support case to get an enhancement request filed with Cisco, that way chances will increase that the functionality that you need will be implemented sooner.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers