Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2755
Views
5
Helpful
4
Replies

FMC Audit Logs - username missing in syslog payload

osama.mehtab.ga
Level 1
Level 1

‎09-16-2018 08:08 PM - edited ‎02-21-2020 08:14 AM

Hi All

 

Just curious if anyone has encountered the similar situation before.

I have configured the FMC's Management/Audit logs to be sent to a SIEM via syslog.

 

(System > Configuration > Audit Logs)

 

The problem I have encountered is that the username is not present in syslog payload. Some of the sample syslog payload is as below.

 

Sep 17 01:51:35 0M-FMCv Login[23783]: Login Failed
Sep 17 01:53:46 0M-FMCv Login[24333]: Login Success
Sep 17 01:31:57 0M-FMCv System > Users > User Roles > User Role Editor[26824]: Page View
Sep 17 01:31:52 0M-FMCv System > Users > User Roles[26825]: Page View
Sep 17 01:31:42 0M-FMCv System > Users > Users[19589]: Page View
Sep 17 01:31:10 0M-FMCv System > Users > User Roles[26825]: Page View
Sep 17 01:30:55 0M-FMCv System > Users > Users > Edit User[19317]: Page View
Sep 17 01:29:31 0M-FMCv Login[18816]: Login Success
Sep 17 01:29:19 0M-FMCv Logout[18701]: Logout Success

 

I have tried using different users, but we can't distinguish between user activities as the username is not there. 

 

Thanks.

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-16-2018 10:52 PM

You're right - that's a shortcoming in the current syslog functionality on FMC. I just confirmed it on my system running the latest 6.2.3.5 release.

 

Even a login success event doesn't provide the username via syslog (even though the syslog view in FMC does include the username). Below you can see both the FMC view as well as a packet capture the actual syslog message received on my target syslog host:

 

FMC - Syslog.PNG

osama.mehtab.ga
Level 1
Level 1
In response to Marvin Rhoads

‎09-16-2018 11:02 PM

Yes Marvin,

 

I did the same to check. I think username and IP address were there in earlier versions but I am not sure about it.

 

However, I found a file /var/log/CSMAgent.log in which we can see the successful login and logout event but its not very helpful for my case. Anyways thanks for your response, really appreciate that you took to respond.

 

0 Helpful

boecknerm@bhc.edu
Level 1
Level 1
In response to Marvin Rhoads

‎03-11-2019 06:59 AM

Has this been resolved in 6.3?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to boecknerm@bhc.edu

‎03-11-2019 09:14 PM

Yes - I am running 6.3.0.1. We now see the syslog messages with the username and source IP address from which the user logged in is included in the syslog messages:

FMC syslog with username.PNG

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card