05-17-2016 04:16 AM - edited 03-12-2019 06:00 AM
Hi Guys,
I have setup a syslog alerting on Firesight Virtual Defense Center but i am unable to get the inline result for the events.
Below is the sample raw event i received
Apr 14 01:09:20 XXXX XXX : [Primary Detection Engine (a9d9147e-dd96-11e2-a935-a6cb913df812)][XXXX][1:34463:2] "APP-DETECT TeamViewer remote administration tool outbound connection attempt" [Classification: Potential Corporate Policy Violation] User: Unknown, Application: TeamViewer, Client: Internet Explorer, App Protocol: HTTPInterface Ingress: s1p2, Interface Egress: s1p1, Security Zone Ingress: External, Security Zone Egress: Internal, [Priority: 1] {TCP} x.x.x.x:51355 -> x.x.x.x:80
There we could see the snort ID, source, destination, port but not the inline result (whether it is dropped or not)
Is there anyway to change and include those inline result using syslog.
Thanks
Solved! Go to Solution.
05-18-2016 06:47 AM
HI ,
Yes you are right changing the severity and priority wont make any changes.
Check : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux57517/?reffering_site=dumpcr
Apparently in 5.4 and 6.0 as per the user guide as well only below parameters will be seen in syslog :
-date and time of alert generation
-event message
-event data
-generator ID of the triggering event
-Snort ID of the triggering event
-revision
Regards,
Aastha Bhardwaj
Rate if that helps!!!
05-17-2016 04:25 AM
Hi
Check this out. Should be able to help.
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html
Rate if helps.
Yogesh
05-17-2016 10:49 PM
Hi Yog,
I check the documentation you provided, I have successfully retrieved the syslog from sourcefire, problem is the syslog does not have the inline result / action ( dropped or permitted ).
correct me if i am wrong, I don't think changing the severity and priority will have any effect on that granularity of the syslog, that is only to mark the syslog sent with selected sev and priorioty and only effect how the syslog server process it.
thanks
05-18-2016 06:47 AM
HI ,
Yes you are right changing the severity and priority wont make any changes.
Check : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux57517/?reffering_site=dumpcr
Apparently in 5.4 and 6.0 as per the user guide as well only below parameters will be seen in syslog :
-date and time of alert generation
-event message
-event data
-generator ID of the triggering event
-Snort ID of the triggering event
-revision
Regards,
Aastha Bhardwaj
Rate if that helps!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide