Push Firepower logs to syslog-ng

AlexPi · ‎12-10-2019

Hello All,

I am trying to get a general repository of logs from our security appliances to a syslog-ng server. I have managed to do so successfully for all our ASA firewalls, but I cannot get logs from our Firepower appliances to populate to syslog-ng.

I have setup both Access Control and Intrusion to forward syslog messages to our syslog-ng server, as per: Configure a FireSIGHT System to Send Alerts to an External Syslog Server

I then went to our syslog-ng server and modified the syslog-ng.conf file to accept messages from one of the devices that is managed through our Firepower Management Center (FMC). So the syslog-ng.cong file looks like this:

#Sources
source s_net_UDP_514 { udp(port(514)); };

#Destinations
destination d_Device01 { file ("/apps/syslog/logs/cisco/firepower/Device01/$HOST/$YEAR-$MONTH-$DAY-Device01.log" create_dirs(yes)); };

#Filters

filter f_Device01 { (netmask(192.168.0.10/32)); };

#Logs
log { source(s_net_UDP_514); filter(f_Device01); destination(d_Device01); };

The above config basically pulls all logs from device with IP 192.168.0.10 UDP port 514 and puts them in the destination folder. The specific works with no issues for all our ASAs (24 of them...) but it seems that does nothing with Firepower. Note that I also tried this by adding the IP of the FMC it self but again nothing seemed to be pushed on the syslog-ng server.

Any help would be greatly appreciated.

Thanks!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

balaji.bandi · ‎12-10-2019

what is the syslog-ng IP address, what is FMC IP address, they able to reach each other ?

on the syslog-ng server, run tcpdump and see if you have anything traffic coming from FMC IP address

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AlexPi · ‎12-10-2019

Hello Balaji,

I can ping the FMC server from the syslog-ng server and I can vice versa. Both servers are in the same VLAN and so are the firepower devices managed through the FMC server.

With tcpdump I can see the ping from the FMC server, but cannot see any other packets coming in from either the FMC server or the firepower device that I have currently configured within syslog-ng.conf.

Generally speaking what IP(s) I should have in my syslog-ng.conf the devices managed by FMC or the FMC IP?

Thanks!

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

balaji.bandi · ‎12-10-2019

Syslog server you should not have any IP address at all,

Just configure the Server to listen to Port 514 on the interface, so all the devices can point to Syslog server IP, then you should see the Syslog server stored logs (where it was configured).

Looks like for it was not leaving the FMC or FTD, check any Rules or ACL stopping here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AlexPi · ‎12-11-2019

I double checked, there are no any rules between those devices, as expected, being in the same VLAN...

Thanks.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------