Issue statement first:

We are not receiving certain log fields on the Qradar as it appears on the FMC event viewer console. 'Firewall policy', 'rule name', whether Allow or Block etc such fields are not received from FMC.

Cisco FMC is integrated with qradar using log source type Firesight using estreamer protocol. In the FMC->estreamer events configuration all options are checked to send across to estreamer client and we are receiving many events. but not the above mentioned.

We receive ACL Name as CSM_FW_ACL_ in all the events. csm_fw_acl is global acl name but not the acl names which is configured via the fmc under various policies and applied to different ASAs. A sample payload we receive is as follows %ASA-4-106023: Deny tcp src Outside:x.x.x.x/41557 dst INFRA_LB:xx.xx.xx.xx/443 by access-group "CSM_FW_ACL_" [0x97aa021a, 0x0]

NB its written in streamer integration guide that acl names data block is included. But how can we debug and test whether cisco is actually sending these?  as they are encrypted we cannot see in plain text I assume.

Does some one face a similar issue and what I the solution?

thanks