05-19-2022 11:14 AM
I've configured FMC to send Connection Events to an external syslog but not everything is being sent.
I've taken some tcpdumps and only the events with some relevant impact are sent. I'm interested in sending every event, even the allowed ones.
Any thoughts?
05-19-2022 05:54 PM
Can you share the screenshot of your syslog configuration and is this syslog server selected globally for the ACP or individual rules?
05-20-2022 06:24 AM
I'm doing it on an individual rule but it's the only rule that is logging on the ACP. See the attachment.
And I'm getting some of the events, just not the allowed events which I also want to send. So the connection is established, might it be something with the logging level I'm using?
Also, I'm using 2 ASA 5515X with Firepower software module and 4 ASA 5585X with Firepower hardware module. No FTD devices. So the FTD Platform Settings policy do not apply in my case.
05-20-2022 08:13 AM - edited 05-20-2022 08:15 AM
So you are trying to Get IPS/IDS Events? The one you are doing is Screenshot is Syslogs/Connection
Intrusion you do not get here,
Go to Intrusion Policies>Edit your Policy>Select AdvancedSettings on the left>Enable Sylog ALerting
You may need click back on the right hand side and commit it
Or the moment you enable the syslog you will see Syslog Alerting on the left and add the server there
You still need to commit changes, also be careful, changes to IPS policy and deploy can result in few pings loss
And make sure you select the IPS policy under the inspection tab of the screenshot you provided
05-23-2022 02:27 PM
05-23-2022 02:44 PM
Do not directly edit there, click on the version you are using like snort 2 or snort 3 highlighted, then it will take you to your policy.
05-23-2022 03:37 PM - edited 05-23-2022 03:38 PM
Great, I found the option and made the change as you said but I'm still not getting the events sent. Maybe I'm using the wrong facility(Local0)? I set the level to Debug everywhere but the amount of logs do not change.
05-23-2022 06:40 PM
It is possible, i just compared mine and we are using the default LOCAL4 facility, and we do receive all the IPS/IDS alerts
Can you set up yours and give it a shot
05-27-2022 07:07 AM
05-19-2022 07:14 PM
Hi
Follow this doc :
Also as Krishna said, you need to provide the screenshot so we can understand what are you doing.
there are multiple places you can do the logging from like Platform Settings, each rule in ACP or globally under the ACP [logging Tab]
IPS are done under IPS Section etc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide