03-21-2022 06:40 PM - edited 03-22-2022 01:11 AM
Dear sir,
I want to collect the audit log of fmc to syslog.
It is set as follows, but logs other than audit logs are being collected as below.
And i don't want see this logs.
Mar 22 01:25:46 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/platinum ; USER=root ; COMMAND=/etc/rc.d/init.d/syslog-ng restart
Mar 22 01:25:46 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/platinum ; USER=root ; COMMAND=/bin/chmod 0755 /etc/syslog-ng.d
The method I would like to see is the following audit log. (Monitoring -> Audit on FMC)
My Audit log to Syslog Settings is below.
Please check settings and help me.
best regards.
03-22-2022 01:50 PM
In Facility change that to: SYSLOG
In Tag change that to the DNS name of the FMC if you want or leave as is
Send Audit Log to HTTP Server we have ours set to "Disabled" if you have an HTTP server set it to that.
For the audit Log Certificate section:
Chose the check boxes that apply, Enable TLS and/or Enable Mutual authentication.
For HTTPS Certificate:
If you plan on using a cert now but haven't in the past you will need to set that up.
03-23-2022 07:54 PM
Dear sir,
thanks for your information, but it was same issue.
I can see below log (FPR Syslog) on logging server.
Mar 24 02:48:41 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/admin ; USER=root ; COMMAND=/etc/rc.d/init.d/syslog-ng restart
Mar 24 02:48:41 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
but, I wnat to FMC audit log on logging server. (not syslog)
Please help me.
thanks,
03-24-2022 02:55 AM
Hi,
Your settings look ok.
My understanding - in this case - is that Facility and Severity are helpful only for syslog filtering at destination, not at source. Your FMC should send all audit events like you want to (including GUI menus). Try running a tcpdump on FMC with a filter for that specific sylog or run the capture on the syslog itself with a filter for FMC source IP and look into it.
Maybe you applied some filters on syslog and that's why you don't see all logs/
BR,
Octavian
03-24-2022 06:19 PM
Dear sir,
I checked received syslogs on logging server as below.
(tcpdump -i any port 514)
But, cannot see FMC audit log.
I want to FMC audit log on logging server. (not syslog)
please help me,
thanks
03-27-2022 02:04 PM
04-04-2022 07:49 PM
I'm sorry, I don't understand your information and you don't understand my issue.
please check this problem again.
04-20-2022 03:04 PM
Did you ever sort out this issue?
05-11-2022 09:02 PM
not yet..
06-29-2022 05:53 AM - edited 06-29-2022 05:55 AM
Hi,
I remember running some tests on a 6.6 FMC and I got same results as you did.
No audit for GUI, just some linux syslog.
Now I'm running 7.2 and I can at least tell you that auditing works as expected.
06-29-2022 15:53:13 System4.Info x.x.x.x Jun 29 12:50:24 index.cgi: [FMC_AUDIT] fmc.local.hostname: admin@x.x.x.x, System > Monitoring > Audit, Page View
BR,
Octavian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide