cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11621
Views
14
Helpful
29
Replies

Reporting in SourceFire FireSIGHT

Sylwia Smaga
Beginner
Beginner

Hello Community,

We have just completed a Clients full upgrade from old ASA's to new 5555-x with full features of FireSIGHT and FirePOWER on ASA, while everything is working as designed we have one issue,

This client wanted a single unit to do his URL/AMP and IPS and SourceFire can do this, but the reporting is horrible.

They had used Ironport WSA report and loved it, and SourceFire is nowhere close to this clean interface.

 

My question, has anyone produced templets or came close to a unified reporting between Ironport WSA and the SourceFire URL features.

Or know of any Cisco or 3rd party tool that can migrate the reports?

 

Thank You

Sylwia

29 Replies 29

Hi Pujita,

For us the most popular request have been,

1) Total Browsing time per User with break down by Business Relevance vs Non Business

2) Bandwidth Saved by Blocking

3) Blocked by Web Reputation

4) Top Users Blocked or Warned Transactions

This is just some of the most popular reports that our clients are asking us to mimic in FireSIGHT now.

Thank You

Sylwia

Pujita,

Is it possible to get a simple report that indicates total web hits (via url not IP) where we can set the user we want to look at?  It would be great to have a summary of all web hits in a given time period and then have a detailed report that shows the detail (timestamp, etc) of those web hits. 

HR or a manager could use this information to determine the heavy internet users and their usage, create a baseline of their activity, match to others for comparison, and have very useful data to correct behavior, change the access control policy when needed to limit certain web activities based on behaviors, etc.

Thanks.

trdavis
Beginner
Beginner

Has anyone found a solution to the reporting issues with FirePower? Does anyone know of a 3rd party tool that would accept FirePower logs and build reports from that data? 

I'm mainly looking for a user activity report that would show websites visited. 

Thanks

The report I achieved (after a lot of trials) was about the detailled activity of a user for a period of time.

But my problem is that Sourcefire databases are really small and in my case they collect events information for only a couple of days. I would also need an external 3rd party server to export the events database for creating extensive reports.

Screenshots are the way I configured the report. In the "field" you can select the most interesting information you need. 

That is helpful, thanks I will give it a try.

What are your thoughts for exporting the data?  I have started to look into this also, and it does not seem as straight forward as I would hope, even if it allowed an external SQL database for storage would be useful.

Hi, about expoting the data.

I was reading a little about an add-on for Splunk, but information is not clear for me, I never worked with Splunk  and it seems not easy

https://splunkbase.splunk.com/app/1808/

Anyway, if I was able to export data to Spluk I´m not sure if I could use it in the way I'm interested for long term detailled reporting. I can not find any clear information.

I tried the Splunk route. It is really centered around correlating intrusion data. At the moment I am unable to actually see connection logs in the same fashion I see them on the appliance. Also the user's seem to be showing up as a numerical ID, not the actual username. 

On top of that this is a community supported plugin so neither Cisco nor Splunk are going to be of much help. 

I'm at the point where I might have to either pay someone to write me a custom report or look at a supplementary solution just for monitoring and reporting on traffic. 

It's a real shame considering that all of the data is there.

I have been told that there was a bug in the FireSight code that should be resolved by the end of the month allowing the user name data to appear in Splunk. 

I just keep getting the run around. The update still hasn't been issued but there is apparently a hotfix if you call Cisco that will get you the username field in text. However from what I have been told that is not for the latest version of FireSight which has the rate limiting feature I have been looking for.

The move to CX and ultimately FirePower has been polarizing to say the least. Every time I get one thing that I was looking for I have to sacrifice something that I had.

We also tried the splunk route but the Syslog messages do not provide all the same fields as the connection_log table. They don't provide first_packet_sec, last_packet_sec, and many other. It would be better suited for reporting if they provided more fields in the syslog messages. I've attached an example of one.

Thank you for providing support! Wondering though, how did you get "Event Viewer Query" in your Search? Was that also custom?

You can customize the search editing the field "Search", take a look the Captura-1 and Captura-2 screenshots uploaded. And you can choose any of the details as if you were in "Analisys --> Connection --> Events" (username, initiator IP, application....)

You can also edit the "Fields" to show only the information you are interested in.

Yes. The reporting inside of the FireSight console is adequate. However the retention is not. The focus of this thread is a need for longer retention than any of the appliances offer.

In my posts I am referring to the data as it is sent by estreamer to a third party product like Splunk.

Coming from Cisco, the only way to archive data to a database is going to be a using a custom eStreamer client. There is an SDK written in Perl which Cisco supports which you can use to develop one if you are savvy enough.

I used this open source python library (https://github.com/spohara79/estreamer) and wrote a MSSQL plugin for it (included in the example code). If you're capable of modifying python code, this is a good option. We use it now.

mayler001
Beginner
Beginner

If Cisco could provide more templates that would be awesome.

Also, the virtual appliance version of FireSight is limited to 10M events.

This is way too small. I'm able to review 2 weeks of events before the old events are purged. 

I need a way to track user activity for reporting. IP Address to User Name reports that go back more than one day would be a great start. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers