Solved: Re: how to change intrusion event syslog port from 514 to 1515

jameslee43329 · ‎04-11-2023

Hi, Everyone:

After done some troubleshooting and data capture, and found out Intrusion event syslog for message ID 430001 is sending to destination port (udp 514), I could see other message ID (430002, and 430003) are sending to udp port 1515, since external syslog is using udp port 1515, Is there a way to change syslog for message ID 430001 to destination port 1515 from 514?

Thanks for any suggestion

James

Gustavo Medina · ‎04-11-2023

I just tested this and it works fine:

The port will be reflected on /var/sf/detection_engines/xxxxxx/ids_alert.conf

Just make sure you are running a version with the fix for https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt13301

View solution in original post

MHM Cisco World · ‎04-11-2023

what is the level appear in 430002 and 430003 and 430001
I think the level is issue here not the log message-d

jameslee43329 · ‎04-11-2023

Hello, MHM:

They all level 6, starting with %FTD-6-43000x, and I remember you change change what level of the syslog you want, that will not change syslog destination port.

Regards,

James

MHM Cisco World · ‎04-11-2023

Configure Syslog Alerting for Intrusion Events

You must configure syslog alerting for intrusion events.

To do so, follow Cisco's documentation at: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Configuring_External_Alerting_for_Intrusion_Rules.html#ID-2212-000001bf

This configuration shows the event ids 430001, 430002, and 430003 in your syslog settings, and sends them to InsightIDR for parsing.

jameslee43329 · ‎04-11-2023

Thanks MHM:

I don't see there is any requirement to setup for MID 430002 and 430003, only for 430001, there is no specific explanation what facility should be used? will local4 or syslog use different destination port?

Changed snort2 for IDS policy in advanced setting, change facility, no help!

regards,

James

balaji.bandi · ‎04-11-2023

So you have syslog Server setup done using 1515

your Syslog server can able receive the messages message ID (430002, and 430003) ? but not 430001 ? Please confirm this

and give more details what is the device model/ what FTD version running. is this managed by FMC?

can you post the screenshot of the Syslog server config?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gustavo Medina · ‎04-11-2023

I just tested this and it works fine:

The port will be reflected on /var/sf/detection_engines/xxxxxx/ids_alert.conf

Just make sure you are running a version with the fix for https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt13301

jameslee43329 · ‎04-12-2023

Hi, Gustavo and MHM:

After removed IP address in logging hosts in snort2, that fixed the issue, I think there was too much influences on snort2 documentation, and I could see the pain from snort2 to snort3, platform setting is the better choice. and thanks for the help.