How to check Snort events/logs in FTD/FMC?

PacketSpartan · ‎02-01-2023

Hi All

Is there a way to check the Snort events/logs on the SFR or on the FMC?

We need to rule out our Firepower module for a recent outage

Thank you in advance

CCNA R&S

MHM Cisco World · ‎02-01-2023

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/200328-Configure-Logging-in-Firepower-Module-fo.html

PacketSpartan · ‎02-01-2023

This is not a valid link, it just takes me back to my own post

Could you give me the link again please

CCNA R&S

MHM Cisco World · ‎02-01-2023

sorry typo, I correct it

Marvin Rhoads · ‎02-01-2023

If you are using FMC and have enabled the policy rules to "send connection events to FMC", then you can check the Analysis > Connection Events or Security Intelligence Events views.

Note that connection events often fill up the allocated space in the database and older events age out - often in less than a day depending on your environment.

Using an external log server can alleviate this - the link shared by @MHM Cisco World provides more detail on that. (But obviously it won't help you for anything that's past already.)