Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1356
Views
0
Helpful
2
Replies

Multiple Tagging in Syslog Configuration

Go to solution
chanccmtech
Level 1
Level 1

‎10-29-2015 07:08 PM - edited ‎03-12-2019 05:48 AM

Good Day all! 

I am struggling to find a proper answer to whether if the FireSIGHT v5.4.1.1 can support multiple tagging in a single syslog alert configuration and was hoping that someone from here can give me a workaround if there is.

The scenario is that my end-user will like to have multiple intrusion policy in each different segments which I am controlling using ACP.

Scenario:

X-Access Control Policy Rule:

Segment 1 - Intrusion Policy 1 - Interface s1p1 - Tagging S1IP1

Segment 2 - Intrusion Policy 2 - Interface s1p2 - Tagging S2IP2

Segment 3 - Intrusion Policy 3 - Interface s2p1 - Tagging S3IP3

So the above is using "X-Access Control Policy" Rule using "Intrusion Policies 1-3" on 3 diffferent interfaces to differentiate their segment zones. Each segments would want to have different tagging "SxIPx" when sending syslog log would be easier to identify their logs respectively.

I have gone through the configuration and unable to tie a single syslog configuration to meet the criterias of multiple tagging in the syslog configuration. 

Am I missing something entirely? 

Really appreciate any feedback! 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
atatistc
Cisco Employee
Cisco Employee

‎10-30-2015 08:19 AM

You can do this with corrleation rules.  For the example above here are the steps.

1.  Create three syslog alerts (Actions->Responses->Alerts) each one with the TAG you want, name them appropriately like "Syslog S1IP1", "S2IP1", etc.

2.  Create three correlation rules (Policies -> Correlation -> Rule Management tab).  For each rule set the type of event to "intrusion event."  under conditions select "ingress interface" and choose the appropriate interface.

3.  Create a corrleation policy with your three rules included.  Add the appropriate syslog response already created to each rule. Enable the new policy.

You will now get syslog messges with the custom tag for the events matching the selected interfaces.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
atatistc
Cisco Employee
Cisco Employee

‎10-30-2015 08:19 AM

You can do this with corrleation rules.  For the example above here are the steps.

1.  Create three syslog alerts (Actions->Responses->Alerts) each one with the TAG you want, name them appropriately like "Syslog S1IP1", "S2IP1", etc.

2.  Create three correlation rules (Policies -> Correlation -> Rule Management tab).  For each rule set the type of event to "intrusion event."  under conditions select "ingress interface" and choose the appropriate interface.

3.  Create a corrleation policy with your three rules included.  Add the appropriate syslog response already created to each rule. Enable the new policy.

You will now get syslog messges with the custom tag for the events matching the selected interfaces.

0 Helpful

Go to solution
chanccmtech
Level 1
Level 1
In response to atatistc

‎11-01-2015 09:30 PM

Hi Alex, 

Thanks so much for the reply :) I shall try that out again. 

Again, it is good to know that I can reach out to you here as well. Hope all is well since the last time we met at SF training in Singapore last year ;)

CC

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card