cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9447
Views
0
Helpful
3
Replies

Firepower VPN Logs

We recently migrated our firewall to a Firepower 1140 that is managed by a Firepower Management Center. I configured the Remote Access VPN to mirror our configuration on our old ASA and everything is for the most part working. Ont he ASA I was able to grab user VPN logins from syslogs and that was very useful for reporting and alerting in Splunk. I was able to do the same Firepower VPNthing for admin logins into the firewalls. I am using the eStreamer App for Splunk to get logs out of my management center but it looks like I am only really able to grab connection events and no other form of authentication events. Is it possible to get the VPN and authentication logs from another method? It would be preferable to just grab them all through eStreamer but if I have to grab them through syslog it's better than nothing. 

 

I don't fire the Firepower interface to be too intuitive for anything VPN related, remote access or site-to-site. 

1 Accepted Solution

Accepted Solutions

I was able to reference a list of syslog ID's here: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html

 

And I was able to configure sysloging through platform setting: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/platform_settings_for_firepower_threat_defense.html#concept_8637BBD154854CA498A2DA66D55A115E

 

I am just tweaking the IDs that I need for remote access and IPSEC but these logs are exactly what I am looking for!

View solution in original post

3 Replies 3

I was able to reference a list of syslog ID's here: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html

 

And I was able to configure sysloging through platform setting: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/platform_settings_for_firepower_threat_defense.html#concept_8637BBD154854CA498A2DA66D55A115E

 

I am just tweaking the IDs that I need for remote access and IPSEC but these logs are exactly what I am looking for!

Did you just configure the FTD to send the VPN syslog over to Splunk? I am in the same boat and trying to decide if i need to do this to see logon/logoffs.  did you forward them to a syslog server then on to the indexers of splunk? Any tips or tricks would be greatly appreciated as with this new "everyone remote" model we are in, there is a strong desire to see the VPN logs. I had assumed that the estreamer app would cover that. Thanks in advance!

Are you using FTD or a Firepower Management Center? I am using a Firepower Management Center so I am not sure what is or isn't possible with FTD by itself. I had a syslog server leftover from the ASAs that where replaced by the Firepower appliances so I used the Platform Settings to send the syslogs to there and then the Splunk forward forwards the logs to my index cluster. You can use the Logging Destination tab to send only webvpn logs, which is what I did and I get less than 10Mb of logs a day from the appliance with over 100 users connecting/disconnecting from VPN all day.

I didn't test if if is necessary or not but I since everything was recycled from the old ASAs I have the Splunk Add-on for Cisco ASA installed and the logs are being pulled in with a source type of cisco:asa. I believe I had the add-on installed on the indexers as well but I do not recall off hand. I believe that the Cisco ASA add-on will probably be necessary in order to properly parse the log but again I have not tested it. The syslogs that are kicked our are essentially identically to ASA syslogs, all of my prior reports designed with the ASA syslog work flawlessly with the new reports without change.

I was also hoping that eStream would bring in more logs. The connection events are great to have but it is only a portion of the picture. My next venture is to figure out how to get Firepower Management Center audit logs out so I can track logins and changes to the management center.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: