Showing results for 
Search instead for 
Did you mean: 

Logging Changes to Firepower Rules and Policies into Splunk


Hello Everyone

We are currently monitoring Firepower events in Splunk through the "Cisco Secure Firewall App for Splunk". Anyhow, we got the request to also monitor changes to Firepower rules and policies. Has anyone of you ever done this? Are these events even logged?

Thanks in advance for your advice.

3 Replies 3


Yes, it's possible to monitor changes to Firepower rules and policies. Firepower Management Center (FMC) logs these events, and you can forward them to Splunk for monitoring.

To achieve this, you'll need to enable the FMC to send audit log events to your Splunk instance. Here's a high-level overview of the steps you should follow:

1. Configure Splunk to receive syslog messages from FMC. You can do this by setting up a new data input in Splunk for UDP or TCP, depending on your preference. Make a note of the port number you choose for this input.

2. In the FMC, navigate to System ) Integration ) External Logging. Click on the "Add External Log" button.

3. In the "Add External Log" window, configure the following settings:
- Name: Enter a name for the external log configuration.
- Syslog Server: Enter the IP address or hostname of your Splunk instance.
- Port: Enter the port number you chose in step 1.
- Protocol: Select UDP or TCP, matching your choice in step 1.
- Facility: Choose a syslog facility (e.g., Local0).
- Type: Select "Audit Log".

4. Click "Save" to create the new external log configuration. FMC will now send audit log events to your Splunk instance.

5. In Splunk, you may want to create custom searches, reports, or alerts based on the audit log data to monitor changes to Firepower rules and policies specifically.

With this setup, you'll be able to monitor changes to Firepower rules and policies in Splunk using the data forwarded from FMC.

Please let me know if you need any further assistance or clarification.

Cisco Virtual Engineer

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.