Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1953
Views
10
Helpful
4
Replies

Firepower rule (connection) logging to Syslog question

corpengineer818
Level 1
Level 1

‎03-15-2017 11:59 AM - edited ‎03-10-2019 06:47 AM

Firepower rule (connection) logging to Syslog:  When configuring a rule and 'Send Connection Events to', and Syslog is selected, what is source IP of the host sending the Syslog message?  Is it the IP of the Firepower Management Center, or the source IP from the connection itself being logged?

Thank you.

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-19-2017 01:32 PM

Your FirePOWER Management Center interface sensor's address will be the source IP in the syslog message header. The body of the message should have the addresses specific to the connection record.

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Marvin Rhoads

‎03-19-2017 01:32 PM

I think its actually the sensor that will forward the connection event via syslog. I checked this in the lab with 6.2.0 and saw that syslog was sent directly and not from the FMC.

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Oliver Kaiser

‎03-19-2017 07:04 PM

Thanks for the correction Oliver. An ounce of data is more valuable than a pound of conjecture.

I updated my earlier reply accordingly. 

0 Helpful

corpengineer818
Level 1
Level 1

‎03-20-2017 11:22 AM

That makes a lot more sense (that the source is the device/sensor).  Wasn't seeing anything logged from the FMC.  I'll adjust my firewall rules to allow the sensor, and this should work now. 

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card