How to check Snort events/logs in FTD/FMC?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 03:16 AM
Hi All
Is there a way to check the Snort events/logs on the SFR or on the FMC?
We need to rule out our Firepower module for a recent outage
Thank you in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 03:55 AM - edited 02-01-2023 04:13 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 04:02 AM
This is not a valid link, it just takes me back to my own post
Could you give me the link again please
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 04:14 AM
sorry typo, I correct it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2023 07:14 AM
If you are using FMC and have enabled the policy rules to "send connection events to FMC", then you can check the Analysis > Connection Events or Security Intelligence Events views.
Note that connection events often fill up the allocated space in the database and older events age out - often in less than a day depending on your environment.
Using an external log server can alleviate this - the link shared by @MHM Cisco World provides more detail on that. (But obviously it won't help you for anything that's past already.)
