For ASA firewalls (SOC customers that send firewall logs to QRadar by syslog), we have them configure a base logging level of 4 (Warning), but we also need a subset of level 1 (Informational) events sent to QRadar as well. These events are:

106100 – Packed (Allowed or denied) by ACL

302013 – Built TCP connection

302015 – Built UDP connection

We accomplish this by having them configure a Message List that includes those three message IDs, and has QRadar as the destination.

Its working on their ASA firewalls, but hasn't been able to get it working on their primary perimeter firewall, which is a Firepower device.

The syslog messages reference documentation for Firepower (https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html) confirms that the message IDs are the same as for ASAs. I assume that the Message List functionality exists in Firepower, though I wasn't able to find the documentation for how to use it.

They have a Cisco Firepower 2120 Threat Defense device (two in a HA configuration).

The primary components of a QRadar deployment are consoles, processors, and collectors. We have the Console and the Event Processor deployed here in Fredericton at the SOC. We deploy Event Collectors inside customer networks. For most customers (including Saint John), the Collector is in a VM - the customer manages the VM host infrastructure, and we manage the guest OS in the VM. We don't have access to the VMware host, and they don't have access to the QRadar OS.

The Event Collector receives logs (mostly via syslog) from inside the customer network. It communicates with the QRadar environment at the SOC over a VPN tunnel.