cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1879
Views
0
Helpful
3
Replies

[Question] Sourcefire/Firesight Syslog to include inline result

filterfilter
Level 1
Level 1

Hi Guys,

I have setup a syslog alerting on Firesight Virtual Defense Center but i am unable to get the inline result for the events.

Below is the sample raw event i received

Apr 14 01:09:20 XXXX XXX : [Primary Detection Engine (a9d9147e-dd96-11e2-a935-a6cb913df812)][XXXX][1:34463:2] "APP-DETECT TeamViewer remote administration tool outbound connection attempt" [Classification: Potential Corporate Policy Violation] User: Unknown, Application: TeamViewer, Client: Internet Explorer, App Protocol: HTTPInterface Ingress: s1p2, Interface Egress: s1p1, Security Zone Ingress: External, Security Zone Egress: Internal, [Priority: 1] {TCP} x.x.x.x:51355 -> x.x.x.x:80

 

There we could see the snort ID, source, destination, port but not the inline result (whether it is dropped or not)

Is there anyway to change and include those inline result using syslog.

Thanks

1 Accepted Solution

Accepted Solutions

HI ,

Yes you are right changing the severity and priority wont make any changes.

Check : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux57517/?reffering_site=dumpcr

Apparently in 5.4 and 6.0 as per the user guide as well only below parameters will be seen in syslog :

-date and time of alert generation

-event message

-event data

-generator ID of the triggering event

-Snort ID of the triggering event

-revision

Regards,

Aastha Bhardwaj

Rate if that helps!!!

View solution in original post

3 Replies 3

yogdhanu
Cisco Employee
Cisco Employee

Hi

Check this out. Should be able to help.

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html

Rate if helps.

Yogesh

Hi Yog,

I check the documentation you provided, I have successfully retrieved the syslog from sourcefire, problem is the syslog does not have the inline result / action ( dropped or permitted ).

correct me if i am wrong, I don't think changing the severity and priority will have any effect on that granularity of the syslog, that is only to mark the syslog sent with selected sev and priorioty and only effect how the syslog server process it.

thanks

HI ,

Yes you are right changing the severity and priority wont make any changes.

Check : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux57517/?reffering_site=dumpcr

Apparently in 5.4 and 6.0 as per the user guide as well only below parameters will be seen in syslog :

-date and time of alert generation

-event message

-event data

-generator ID of the triggering event

-Snort ID of the triggering event

-revision

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: