08-11-2020 12:26 AM
Hi all,
I have problem on the logging type in Firepower management centre.
It has: ALERT, CRIT, DEBUG, EMERG, ERR, INFO, NOTICE and WARNING.
The defualt is ALERT. What is the selection include all? Is it INFO include ALERT and all information?
thanks and regards,
tangsuan
Solved! Go to Solution.
08-11-2020 05:22 AM
Are you asking about syslog messages from the FMC itself (vs. events that you are sending to syslog)?
Generally speaking syslog severity settings include all messages of higher priority.
So telling a system to log at level 6 includes 0-5, 5 includes 0-4 etc.
08-11-2020 05:22 AM
Are you asking about syslog messages from the FMC itself (vs. events that you are sending to syslog)?
Generally speaking syslog severity settings include all messages of higher priority.
So telling a system to log at level 6 includes 0-5, 5 includes 0-4 etc.
08-11-2020 10:37 PM
Hi Marvin,
Thanks to your reply.
This inofrmation is very useful.
regard,
tangsuan
08-12-2020 06:11 AM - edited 08-12-2020 06:25 AM
Hi Marvin,
Now I have new problem feedback from client.
The problem is after I set to Info and also from Syslog output, I can have the output as below:
8/12/2020 11:34 | Syslog.Info | 172.23.10.31 | 2020-08-12T03:34:29Z n206pdmzip1 IGMSSyslog1 %NGIPS-6-430003: DeviceUUID: 6c8a1040-fd69-11e6-afb6-cf5c4dcf2406, AccessControlRuleAction: Allow, SrcIP: x.x.x.x, DstIP: y.y.y.y, SrcPort: 51713, DstPort: 443, Protocol: tcp, IngressInterface: s1p3, EgressInterface: s1p4, IngressZone: IGMS-Outbound-to-PaloAltoFW, EgressZone: IGMS-Inbound-From CoreSW, ACPolicy: Default Intrusion Prevention, AccessControlRuleName: IGMS Prod Web Inline 2, Prefilter Policy: Unknown, User: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 6, InitiatorPackets: 9, ResponderPackets: 7, InitiatorBytes: 1250, ResponderBytes: 563, NAPPolicy: Inline Policy for Inline Interface, URL:xxxxxxxxxxxxxxxxxxxx.com |
8/12/2020 11:38 | Syslog.Info | 172.23.10.31 | 2020-08-12T03:37:15Z n206pdmzip1 IGMSSyslog1 %NGIPS-6-430003: DeviceUUID: 6c8a1040-fd69-11e6-afb6-cf5c4dcf2406, AccessControlRuleAction: Allow, SrcIP: a.b.c.d, DstIP: y.y.y.y, SrcPort: 43907, DstPort: 514, Protocol: udp, IngressInterface: s1p4, EgressInterface: s1p3, IngressZone: IGMS-Inbound-From CoreSW, EgressZone: IGMS-Outbound-to-PaloAltoFW, ACPolicy: Default Intrusion Prevention, AccessControlRuleName: IGMS Prod Web Inline 1, Prefilter Policy: Unknown, User: No Authentication Required, Client: syslog, ApplicationProtocol: syslog, ConnectionDuration: 21, InitiatorPackets: 4, ResponderPackets: 0, InitiatorBytes: 588, ResponderBytes: 0, NAPPolicy: Inline Policy for Inline Interface |
However, I cannot see the output format come with Message or something like below table which is generate by Report Generator. May I have your advice how to set?
Is it something in the Syslog setup has to change ? Attach is it the option of the picture need to change? Right now it is set in Syslog.
Time | Priority | Impact | Inline Result | Source IP | Source Country | Destination IP | Destination Country | Original Client IP | Source Port / ICMP Type | Destination Port / ICMP Code | SSL Status | VLAN ID | MPLS Label | Message | Classification | Generator | Source User | Destination User | Application Protocol | Application Protocol Category | Application Protocol Tag | Client | Client Category | Client Tag | Web Application | Web Application Category | Web Application Tag | IOC | Application Risk | Business Relevance | Ingress Security Zone | Egress Security Zone | Device | Ingress Interface | Egress Interface | Intrusion Policy | Access Control Policy | Access Control Rule | Network Analysis Policy | HTTP Hostname | HTTP URI | HTTP Response Code | Email Sender | Email Recipient | Email Attachments |
thanks and regards,
tangsuan
08-12-2020 09:15 AM
The syslog message format cannot be modified.
It is not intended as a 1-1 replacement of the FMC reporting capability.
What is your client trying to do with the messages?
08-12-2020 06:07 PM
Hi Marvin,
Thanks to your reply.
My client shows the below one of example IPS Syslog which contains of Message (IPS signature information) and said why our one does not have that Message information. Below is his example:
For example:-
Intrusion Events will look like this below
Message: HI_CLIENT_BARE_BYTE is signature name for this intrusion event.
<112>Aug 12 01:56:31 XXXX %NGIPS-0-430001: DeviceUUID: xxxxxxxxxxxxxxxxxxxx, SrcIP:x.x.x.x, DstIP: x.x.x.x, SrcPort: xxx, DstPort: xxx, Protocol: tcp, IngressInterface: s2p2, EgressInterface: s2p1, IngressZone: Internal, EgressZone: External, Priority: 3, GID: 119, SID: 4, Revision: 1, Message: HI_CLIENT_BARE_BYTE, Classification: Not Suspicious Traffic, User: No Authentication Required, IntrusionPolicy: TEST policy, TestACPolicy: Test Policy, NAPPolicy: Balanced Security and Connectivity
May I have your advise on any way to set the Firepower to display out this Message information?
I checked there is Facility setting as below, is it can help on this problem? Right now I am set it at Syslog. Is it any other setting or anything else beside this setting can help on this problem? Please advise. Thanks!
FacilityDescription
AUTH | A message associated with security and authorization. |
AUTHPRIV | A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file. |
CRON | A message generated by the clock daemon. |
DAEMON | A message generated by a system daemon. |
FTP | A message generated by the FTP daemon. |
KERN | A message generated by the kernel. On many systems, these messages are printed to the console when they appear. |
LOCAL0-LOCAL7 | A message generated by an internal process. |
LPR | A message generated by the printing subsystem. |
A message generated by a mail system. | |
NEWS | A message generated by the network news subsystem. |
SYSLOG | A message generated by the syslog daemon. |
USER | A message generated by a user-level process. |
UUCP | A message generated by the UUCP subsystem. |
Regards,
tangsuan
08-14-2020 02:28 AM
Hi Marvin,
I found out that the Syslog.info does not come with Intrusion Event as picture attached.
That is the problem that the Syslog does not come with the Message. This Message is the Intrusion Signature information on the Intrusion event.
May I get your help how to resolve on this? Thanks!
regards,
tangsuan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide