Re: FMC and Sensor to External Syslog

fatalXerror · ‎10-24-2017

Hi Experts,

I want to know if it is possible to send intrusion and malware events to multiple syslog servers in firepower IPS?

How to do it if possible? If not, what are the workaround?

Thanks

Marvin Rhoads · ‎10-24-2017

Only a single syslog server is currently supported.

If your remote systems support it, you can use eStreamer and send to multiple subscribers.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/host_identity_sources.html#ID-2219-000004b0

fatalXerror · ‎10-24-2017

thanks Marvin for you feedack but may I know what is the difference between the logging configured in the following,

1. Intrusion Policy > Advanced Settings

2. Policies > Action > Alerts

3. Access Control Rule Logging option

Marvin Rhoads · ‎10-25-2017

Each of those sections of the FMC configuration has the option for enabling logging to system log (syslog) facilities (which is separately defined per the global definition of a single syslog server).

Depending on your requirements you may decide to configure none, some or all of them to send syslog messages.

The system works fine without them - using an external syslog is usually done to satisfy a need to have long term audit data, retain information for forensic analysis or to meet a regulatory, legal or other such requirement.

ciscokapajoeen · ‎11-30-2017

Hello Marvin,

What the recommended setup of the Syslog on the maanged FTD devices.

Patrice

Marvin Rhoads · ‎11-30-2017

I've never seen a Cisco recommendation on what SHOULD be setup - they leave it to the user discretion and simply specify HOW to set it up should the client need it.

As I mentioned earlier, it generally depends on the client's purpose for doing it in the first place. I'd say the most common use case is for integration with an enterprise logging/correlation tool like Splunk or a similar product. Enterprises using that sort of toolset typically have their own requirement set which would guide what messages are desired or required.

sathish.cco · ‎09-14-2018

Hi,
when the external logging is configured for event logs, does the NIPS/sensor sends the logs directly to the syslog server OR the logs can go only via FMC to the syslog ?

Thanks

Marvin Rhoads · ‎09-14-2018

The sensor will send the syslog messages from its eventing interface (normally the same as the management address unless you've changed it).

I just confirmed by setting it up on my lab and capturing the incoming packets on the destination syslog server.

mdkhanimran_ccna · ‎03-28-2019

Hi Marvin, I am facing some issues in logging to SIEM tool.

The logging levels which are available, are they similar to ASA, like if I choose Info (which is 6), will all the low level logs be forwarded to SIEM. (i.e. from 1 to 6)

&

I have enabled logging from all 3 options, under policies and alerts, from ACP logging option, Intrusion policy logging options as well. But still I have logs/ events missing, that are not getting forwarded to SIEM.

Regards,

Imran.

Marvin Rhoads · ‎03-28-2019

Are there some specific events you can cite that don't seem to be making it to your SIEM?

Note for FMC itself (vs the sensors) you setup its logging under System > Configuration > Audit Log

mdkhanimran_ccna · ‎03-30-2019

Hi Marvin, thank u for responding.

No, I am not looking for audit logs/ FMC system /Management user logs.

One of the example is, that on FMC Intrusion events are fired based on URL SI categories, which I am not getting over SIEM.

Although I have logging enabled for SI.

Regards,

Imran.

RF99TJ · ‎08-18-2023

Did this fall off the boat?