cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2591
Views
5
Helpful
4
Replies

FMC Audit Logs - username missing in syslog payload

osama.mehtab.ga
Level 1
Level 1

Hi All

 

Just curious if anyone has encountered the similar situation before.

I have configured the FMC's Management/Audit logs to be sent to a SIEM via syslog.

 

(System > Configuration > Audit Logs)

 

The problem I have encountered is that the username is not present in syslog payload. Some of the sample syslog payload is as below.

 

Sep 17 01:51:35 0M-FMCv Login[23783]: Login Failed
Sep 17 01:53:46 0M-FMCv Login[24333]: Login Success
Sep 17 01:31:57 0M-FMCv System > Users > User Roles > User Role Editor[26824]: Page View
Sep 17 01:31:52 0M-FMCv System > Users > User Roles[26825]: Page View
Sep 17 01:31:42 0M-FMCv System > Users > Users[19589]: Page View
Sep 17 01:31:10 0M-FMCv System > Users > User Roles[26825]: Page View
Sep 17 01:30:55 0M-FMCv System > Users > Users > Edit User[19317]: Page View
Sep 17 01:29:31 0M-FMCv Login[18816]: Login Success
Sep 17 01:29:19 0M-FMCv Logout[18701]: Logout Success

 

I have tried using different users, but we can't distinguish between user activities as the username is not there. 

 

Thanks.

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

You're right - that's a shortcoming in the current syslog functionality on FMC. I just confirmed it on my system running the latest 6.2.3.5 release.

 

Even a login success event doesn't provide the username via syslog (even though the syslog view in FMC does include the username). Below you can see both the FMC view as well as a packet capture the actual syslog message received on my target syslog host:

 

FMC - Syslog.PNG

Yes Marvin,

 

I did the same to check. I think username and IP address were there in earlier versions but I am not sure about it.

 

However, I found a file /var/log/CSMAgent.log in which we can see the successful login and logout event but its not very helpful for my case. Anyways thanks for your response, really appreciate that you took to respond.

 

Has this been resolved in 6.3?

Yes - I am running 6.3.0.1. We now see the syslog messages with the username and source IP address from which the user logged in is included in the syslog messages:

FMC syslog with username.PNG

Review Cisco Networking for a $25 gift card