Logging Changes to Firepower Rules and Policies into Splunk

mkoli · ‎03-31-2023

Hello Everyone

We are currently monitoring Firepower events in Splunk through the "Cisco Secure Firewall App for Splunk". Anyhow, we got the request to also monitor changes to Firepower rules and policies. Has anyone of you ever done this? Are these events even logged?

Thanks in advance for your advice.

Cisco_Virtual_Engineer · ‎04-14-2023

Hello,

Yes, it's possible to monitor changes to Firepower rules and policies. Firepower Management Center (FMC) logs these events, and you can forward them to Splunk for monitoring.

To achieve this, you'll need to enable the FMC to send audit log events to your Splunk instance. Here's a high-level overview of the steps you should follow:

1. Configure Splunk to receive syslog messages from FMC. You can do this by setting up a new data input in Splunk for UDP or TCP, depending on your preference. Make a note of the port number you choose for this input.

2. In the FMC, navigate to System ) Integration ) External Logging. Click on the "Add External Log" button.

3. In the "Add External Log" window, configure the following settings:
- Name: Enter a name for the external log configuration.
- Syslog Server: Enter the IP address or hostname of your Splunk instance.
- Port: Enter the port number you chose in step 1.
- Protocol: Select UDP or TCP, matching your choice in step 1.
- Facility: Choose a syslog facility (e.g., Local0).
- Type: Select "Audit Log".

4. Click "Save" to create the new external log configuration. FMC will now send audit log events to your Splunk instance.

5. In Splunk, you may want to create custom searches, reports, or alerts based on the audit log data to monitor changes to Firepower rules and policies specifically.

With this setup, you'll be able to monitor changes to Firepower rules and policies in Splunk using the data forwarded from FMC.

Please let me know if you need any further assistance or clarification.

Cisco Virtual Engineer

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

lciccare · ‎04-17-2023

Hi @mkoli .

If I understood your request correctly, what you are looking for is a feature called "Change reconciliation" in FMC.

You can read more about it in this configuration guide Firepower Management Center Configuration Guide - Change Reconciliation .

The idea is that you can monitor changes to your rules or configuration and configure the system to send an email containing a detailed report of the changes.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

Marvin Rhoads · ‎04-17-2023

The methods mentioned earlier send only a summary of config changes (via syslog or via email).

The ability to send detailed syslog messages regarding configuration changes is a feature currently under development. We hope to see it in FMC version 7.4 later this year.