Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4895
Views
0
Helpful
4
Replies

Forwarding IPS events via Syslog

Nethariel
Level 1
Level 1

‎10-22-2018 03:04 AM - edited ‎03-12-2019 07:02 AM

Hello,

 

We are using the IPS module on the Cisco ASA 5525-X Firewalls and we’re running version 6.2.0.6.

We would like to forward detailed logs to a Syslog server.

We followed these procedures:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo.html

 

We are indeed receiving logs in our Syslog server. However, we are only receiving Block and Allow events. We are not receiving the detailed IPS events (i.e the reason behind a block). Here is an example:

 

Oct 21 13:00:00 somename SFIMS: Protocol: TCP, SrcIP: x.x.x.x, OriginalClientIP: ::, DstIP: y.y.y.y, SrcPort: 28971,
DstPort: 443, TCPFlags: 0x0, IngressInterface: internet, EgressInterface: dmz, DE: Primary Detection Engine
(9c902a8c), Policy: YY-Firewalls, ConnectType: End, AccessControlRuleName: XX-rule,
AccessControlRuleAction: Block, AccessControlRuleReason: Intrusion Block, Prefilter Policy: Unknown, UserName: No Authentication Required,
Client: SSL client, ApplicationProtocol: HTTPS, IPSCount: 1, InitiatorPackets: 6, ResponderPackets: 5, InitiatorBytes: 661, ResponderBytes:
5511, NAPPolicy: Balanced Security and Connectivity, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk
unknown

 

As you can see, the log line indicates a block but we don't see the reason. 

 

In the FireSight Management console, we can see the reason behind a block, but we would like to see it in our Syslog server.

 

1- Can the FirePower module forward IPS events to a Syslog server? or only Connection Events?

2- If yes, what else should we do?

 

Thank you.

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-22-2018 05:11 AM

As you observed, IPS events via syslog only show a subset of the entire data set.

 

To get all the metadata you need to use an application like Splunk that connects as an eStreamer client to feed the event data.

0 Helpful

Nethariel
Level 1
Level 1
In response to Marvin Rhoads

‎10-22-2018 05:55 AM

Thank you for your quick reply Marvin.

 

The thing that confuses me is that AlienVault has a plugin to parse all kind of FirePower events. So you would expect that there should be a way to get these events to AlienVault.

Do you know if it is possible to do that without using additional applications?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Nethariel

‎10-22-2018 06:55 AM

Not as far as I know.

 

Cisco encourages customers to press their SIEM vendor to support eStreamer as it is considered architecturally capable to handle to potential volume of event coming from an FMC in a reliable and secure manner

0 Helpful

Nethariel
Level 1
Level 1
In response to Marvin Rhoads

‎10-24-2018 12:58 AM

Thanks again for your reply.

 

Do you know if using SNMP could work?

In this image, taken from the official guide, it says that Syslog sends Connection Events only, while SNMP doesn't say that. Could that be the reason/solution?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card