10-22-2018 03:04 AM - edited 03-12-2019 07:02 AM
Hello,
We are using the IPS module on the Cisco ASA 5525-X Firewalls and we’re running version 6.2.0.6.
We would like to forward detailed logs to a Syslog server.
We followed these procedures:
We are indeed receiving logs in our Syslog server. However, we are only receiving Block and Allow events. We are not receiving the detailed IPS events (i.e the reason behind a block). Here is an example:
Oct 21 13:00:00 somename SFIMS: Protocol: TCP, SrcIP: x.x.x.x, OriginalClientIP: ::, DstIP: y.y.y.y, SrcPort: 28971,
DstPort: 443, TCPFlags: 0x0, IngressInterface: internet, EgressInterface: dmz, DE: Primary Detection Engine
(9c902a8c), Policy: YY-Firewalls, ConnectType: End, AccessControlRuleName: XX-rule,
AccessControlRuleAction: Block, AccessControlRuleReason: Intrusion Block, Prefilter Policy: Unknown, UserName: No Authentication Required,
Client: SSL client, ApplicationProtocol: HTTPS, IPSCount: 1, InitiatorPackets: 6, ResponderPackets: 5, InitiatorBytes: 661, ResponderBytes:
5511, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk
unknown
As you can see, the log line indicates a block but we don't see the reason.
In the FireSight Management console, we can see the reason behind a block, but we would like to see it in our Syslog server.
1- Can the FirePower module forward IPS events to a Syslog server? or only Connection Events?
2- If yes, what else should we do?
Thank you.
10-22-2018 05:11 AM
As you observed, IPS events via syslog only show a subset of the entire data set.
To get all the metadata you need to use an application like Splunk that connects as an eStreamer client to feed the event data.
10-22-2018 05:55 AM
Thank you for your quick reply Marvin.
The thing that confuses me is that AlienVault has a plugin to parse all kind of FirePower events. So you would expect that there should be a way to get these events to AlienVault.
Do you know if it is possible to do that without using additional applications?
10-22-2018 06:55 AM
Not as far as I know.
Cisco encourages customers to press their SIEM vendor to support eStreamer as it is considered architecturally capable to handle to potential volume of event coming from an FMC in a reliable and secure manner
10-24-2018 12:58 AM
Thanks again for your reply.
Do you know if using SNMP could work?
In this image, taken from the official guide, it says that Syslog sends Connection Events only, while SNMP doesn't say that. Could that be the reason/solution?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide