cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2055
Views
0
Helpful
6
Replies

Firepower Management Centre 750 Logging Type

Tang-Suan Tan
Beginner
Beginner

Hi all,

 

I have problem on the logging type in Firepower management centre.

 

It has: ALERT, CRIT, DEBUG, EMERG, ERR, INFO, NOTICE and WARNING.

 

The defualt is ALERT. What is the selection include all? Is it INFO include ALERT and all information?

 

thanks and regards,

 

tangsuan

 

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Are you asking about syslog messages from the FMC itself (vs. events that you are sending to syslog)?

Generally speaking syslog severity settings include all messages of higher priority.

So telling a system to log at level 6 includes 0-5, 5 includes 0-4 etc.

  • 0 —emergency: System unusable.
  • 1 —alert: Immediate action needed.
  • 2 —critical: Critical condition
  • 3 —error: Error condition.
  • 4 —warning: Warning condition.
  • 5 —notification: Normal but significant condition.
  • 6 —informational: Informational message only.

View solution in original post

6 Replies 6

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

Are you asking about syslog messages from the FMC itself (vs. events that you are sending to syslog)?

Generally speaking syslog severity settings include all messages of higher priority.

So telling a system to log at level 6 includes 0-5, 5 includes 0-4 etc.

  • 0 —emergency: System unusable.
  • 1 —alert: Immediate action needed.
  • 2 —critical: Critical condition
  • 3 —error: Error condition.
  • 4 —warning: Warning condition.
  • 5 —notification: Normal but significant condition.
  • 6 —informational: Informational message only.

Hi Marvin,

 

Thanks to your reply.

 

This inofrmation is very useful.

 

regard,

tangsuan 

Hi Marvin,

 

Now I have new problem feedback from client.

The problem is after I set to Info and also from Syslog output, I can have the output as below:

 

8/12/2020 11:34

Syslog.Info

172.23.10.31

2020-08-12T03:34:29Z n206pdmzip1 IGMSSyslog1 %NGIPS-6-430003: DeviceUUID: 6c8a1040-fd69-11e6-afb6-cf5c4dcf2406, AccessControlRuleAction: Allow, SrcIP: x.x.x.x, DstIP: y.y.y.y, SrcPort: 51713, DstPort: 443, Protocol: tcp, IngressInterface: s1p3, EgressInterface: s1p4, IngressZone: IGMS-Outbound-to-PaloAltoFW, EgressZone: IGMS-Inbound-From CoreSW, ACPolicy: Default Intrusion Prevention, AccessControlRuleName: IGMS Prod Web Inline 2, Prefilter Policy: Unknown, User: No Authentication Required, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 6, InitiatorPackets: 9, ResponderPackets: 7, InitiatorBytes: 1250, ResponderBytes: 563, NAPPolicy: Inline Policy for Inline Interface, URL:xxxxxxxxxxxxxxxxxxxx.com

8/12/2020 11:38

Syslog.Info

172.23.10.31

2020-08-12T03:37:15Z n206pdmzip1 IGMSSyslog1 %NGIPS-6-430003: DeviceUUID: 6c8a1040-fd69-11e6-afb6-cf5c4dcf2406, AccessControlRuleAction: Allow, SrcIP: a.b.c.d, DstIP: y.y.y.y, SrcPort: 43907, DstPort: 514, Protocol: udp, IngressInterface: s1p4, EgressInterface: s1p3, IngressZone: IGMS-Inbound-From CoreSW, EgressZone: IGMS-Outbound-to-PaloAltoFW, ACPolicy: Default Intrusion Prevention, AccessControlRuleName: IGMS Prod Web Inline 1, Prefilter Policy: Unknown, User: No Authentication Required, Client: syslog, ApplicationProtocol: syslog, ConnectionDuration: 21, InitiatorPackets: 4, ResponderPackets: 0, InitiatorBytes: 588, ResponderBytes: 0, NAPPolicy: Inline Policy for Inline Interface

 

However, I cannot see the output format come with Message or something like below table which is generate by Report Generator. May I have your advice how to set?

Is it something in the Syslog setup has to change ? Attach is it the option of the picture need to change? Right now it is set in Syslog.

TimePriorityImpactInline ResultSource IPSource CountryDestination IPDestination CountryOriginal Client IPSource Port / ICMP TypeDestination Port / ICMP CodeSSL StatusVLAN IDMPLS LabelMessageClassificationGeneratorSource UserDestination UserApplication ProtocolApplication Protocol CategoryApplication Protocol TagClientClient CategoryClient TagWeb ApplicationWeb Application CategoryWeb Application TagIOCApplication RiskBusiness RelevanceIngress Security ZoneEgress Security ZoneDeviceIngress InterfaceEgress InterfaceIntrusion PolicyAccess Control PolicyAccess Control RuleNetwork Analysis PolicyHTTP HostnameHTTP URIHTTP Response CodeEmail SenderEmail RecipientEmail Attachments

 

thanks and regards,

tangsuan

The syslog message format cannot be modified.

It is not intended as a 1-1 replacement of the FMC reporting capability.

What is your client trying to do with the messages?

Hi Marvin,

 

Thanks to your reply.

 

My client shows the below one of example IPS Syslog which contains of Message (IPS signature information) and said why our one does not have that Message information. Below is his example:

 

For example:-
Intrusion Events will look like this below

Message: HI_CLIENT_BARE_BYTE  is signature name for this intrusion event.

<112>Aug 12 01:56:31 XXXX %NGIPS-0-430001: DeviceUUID: xxxxxxxxxxxxxxxxxxxx, SrcIP:x.x.x.x, DstIP: x.x.x.x, SrcPort: xxx, DstPort: xxx, Protocol: tcp, IngressInterface: s2p2, EgressInterface: s2p1, IngressZone: Internal, EgressZone: External, Priority: 3, GID: 119, SID: 4, Revision: 1, Message: HI_CLIENT_BARE_BYTE, Classification: Not Suspicious Traffic, User: No Authentication Required, IntrusionPolicy: TEST policy, TestACPolicy: Test Policy, NAPPolicy: Balanced Security and Connectivity

 

May I have your advise on any way to set the Firepower to display out this Message information?

 

I checked there is Facility setting as below, is it can help on this problem? Right now I am set it at Syslog. Is it any other setting or anything else beside this setting can help on this problem? Please advise. Thanks!

 

FacilityDescription

AUTH

A message associated with security and authorization.

AUTHPRIV

A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file.

CRON

A message generated by the clock daemon.

DAEMON

A message generated by a system daemon.

FTP

A message generated by the FTP daemon.

KERN

A message generated by the kernel. On many systems, these messages are printed to the console when they appear.

LOCAL0-LOCAL7

A message generated by an internal process.

LPR

A message generated by the printing subsystem.

MAIL

A message generated by a mail system.

NEWS

A message generated by the network news subsystem.

SYSLOG

A message generated by the syslog daemon.

USER

A message generated by a user-level process.

UUCP

A message generated by the UUCP subsystem.

 

Regards,

 

tangsuan

Hi Marvin,

 

I found out that the Syslog.info does not come with Intrusion Event as picture attached.

 

That is the problem that the Syslog does not come with the Message. This Message is the Intrusion Signature information on the Intrusion event.

 

May I get your help how to resolve on this? Thanks!

 

regards,

tangsuan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers