cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14718
Views
10
Helpful
11
Replies

FMC and Sensor to External Syslog

fatalXerror
Level 5
Level 5

Hi Experts,

I want to know if it is possible to send intrusion and malware events to multiple syslog servers in firepower IPS?

How to do it if possible? If not, what are the workaround?

Thanks

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

Only a single syslog server is currently supported.

 

If your remote systems support it, you can use eStreamer and send to multiple subscribers.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/host_identity_sources.html#ID-2219-000004b0

thanks Marvin for you feedack but may I know what is the difference between the logging configured in the following,

1. Intrusion Policy > Advanced Settings

2. Policies > Action > Alerts

3. Access Control Rule Logging option

 

Each of those sections of the FMC configuration has the option for enabling logging to system log (syslog) facilities (which is separately defined per the global definition of a single syslog server).

 

Depending on your requirements you may decide to configure none, some or all of them to send syslog messages.

 

The system works fine without them - using an external syslog is usually done to satisfy a need to have long term audit data, retain information for forensic analysis or to meet a regulatory, legal or other such requirement.

Hello Marvin,

What the recommended setup of the Syslog on the maanged FTD devices.

Patrice

I've never seen a Cisco recommendation on what SHOULD be setup - they leave it to the user discretion and simply specify HOW to set it up should the client need it.

 

As I mentioned earlier, it generally depends on the client's purpose for doing it in the first place. I'd say the most common use case is for integration with an enterprise logging/correlation tool like Splunk or a similar product. Enterprises using that sort of toolset typically have their own requirement set which would guide what messages are desired or required.

Hi,
when the external logging is configured for event logs, does the NIPS/sensor sends the logs directly to the syslog server OR the logs can go only via FMC to the syslog ?

Thanks

The sensor will send the syslog messages from its eventing interface (normally the same as the management address unless you've changed it).

 

I just confirmed by setting it up on my lab and capturing the incoming packets on the destination syslog server.

 

FTD Log.PNG

 

 

Hi Marvin,  I am facing some issues in logging to SIEM tool.

 

The logging levels which are available, are they similar to ASA, like if I choose Info (which is 6), will all the low level logs be forwarded to SIEM. (i.e. from 1 to 6)

&

I have enabled logging from all 3 options, under policies and alerts, from ACP logging option, Intrusion policy logging options as well. But still I have logs/ events missing, that are not getting forwarded to SIEM.

Regards,

Imran.

 

 

 

 

Are there some specific events you can cite that don't seem to be making it to your SIEM?

Note for FMC itself (vs the sensors) you setup its logging under System > Configuration > Audit Log

Hi Marvin, thank u for responding.

No, I am not looking for audit logs/ FMC system /Management user logs.

One of the example is, that on FMC Intrusion events are fired based on URL SI categories, which I am not getting over SIEM.

Although I have logging enabled for SI.

 

Regards,

Imran.

 

 

RF99TJ
Level 1
Level 1

Did this fall off the boat?

Review Cisco Networking for a $25 gift card