Re: How to FMC Audit log to Syslog Server ?

simplewildstyle · ‎03-21-2022

Dear sir,

I want to collect the audit log of fmc to syslog.

It is set as follows, but logs other than audit logs are being collected as below.

And i don't want see this logs.

Mar 22 01:25:46 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/platinum ; USER=root ; COMMAND=/etc/rc.d/init.d/syslog-ng restart

Mar 22 01:25:46 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/platinum ; USER=root ; COMMAND=/bin/chmod 0755 /etc/syslog-ng.d

The method I would like to see is the following audit log. (Monitoring -> Audit on FMC)

My Audit log to Syslog Settings is below.

Please check settings and help me.

best regards.

Eric R. Jones · ‎03-22-2022

In Facility change that to: SYSLOG

In Tag change that to the DNS name of the FMC if you want or leave as is

Send Audit Log to HTTP Server we have ours set to "Disabled" if you have an HTTP server set it to that.

For the audit Log Certificate section:

Chose the check boxes that apply, Enable TLS and/or Enable Mutual authentication.

For HTTPS Certificate:

If you plan on using a cert now but haven't in the past you will need to set that up.

simplewildstyle · ‎03-23-2022

Dear sir,

thanks for your information, but it was same issue.

I can see below log (FPR Syslog) on logging server.

Mar 24 02:48:41 firepower sudo: www : TTY=unknown ; PWD=/usr/local/sf/htdocs/admin ; USER=root ; COMMAND=/etc/rc.d/init.d/syslog-ng restart

Mar 24 02:48:41 firepower sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

but, I wnat to FMC audit log on logging server. (not syslog)

Please help me.

thanks,

Octavian Szolga · ‎03-24-2022

Hi,

Your settings look ok.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/system_configuration.html#ID-2258-00000149

My understanding - in this case - is that Facility and Severity are helpful only for syslog filtering at destination, not at source. Your FMC should send all audit events like you want to (including GUI menus). Try running a tcpdump on FMC with a filter for that specific sylog or run the capture on the syslog itself with a filter for FMC source IP and look into it.
Maybe you applied some filters on syslog and that's why you don't see all logs/

BR,
Octavian

simplewildstyle · ‎03-24-2022

Dear sir,

I checked received syslogs on logging server as below.

(tcpdump -i any port 514)

But, cannot see FMC audit log.

I want to FMC audit log on logging server. (not syslog)

please help me,

thanks

Eric R. Jones · ‎03-27-2022

This link is pulled from within my FMC.

log_from_fmc_61plus.html?highlight=stream%20aud> Stream Audit Logs to Syslog
(srf.local)

You lost me when you said:

"But, cannot see FMC audit log.

I want to FMC audit log on logging server. (not syslog)"

Are you trying to separate audit log data from syslog server collection into
a different location?

Are you talking about event logs and system log data?

We have configured ours to send all logs to an NFS location and to a SIEM
setup load balanced by A10 servers.

simplewildstyle · ‎04-04-2022

I'm sorry, I don't understand your information and you don't understand my issue.

please check this problem again.

Eric R. Jones · ‎04-20-2022

Did you ever sort out this issue?

simplewildstyle · ‎05-11-2022

not yet..

Octavian Szolga · ‎06-29-2022

Hi,

I remember running some tests on a 6.6 FMC and I got same results as you did.

No audit for GUI, just some linux syslog.
Now I'm running 7.2 and I can at least tell you that auditing works as expected.

06-29-2022 15:53:13 System4.Info x.x.x.x Jun 29 12:50:24 index.cgi: [FMC_AUDIT] fmc.local.hostname: admin@x.x.x.x, System > Monitoring > Audit, Page View

BR,

Octavian