03-27-2020 05:29 AM
We recently migrated our firewall to a Firepower 1140 that is managed by a Firepower Management Center. I configured the Remote Access VPN to mirror our configuration on our old ASA and everything is for the most part working. Ont he ASA I was able to grab user VPN logins from syslogs and that was very useful for reporting and alerting in Splunk. I was able to do the same Firepower VPNthing for admin logins into the firewalls. I am using the eStreamer App for Splunk to get logs out of my management center but it looks like I am only really able to grab connection events and no other form of authentication events. Is it possible to get the VPN and authentication logs from another method? It would be preferable to just grab them all through eStreamer but if I have to grab them through syslog it's better than nothing.
I don't fire the Firepower interface to be too intuitive for anything VPN related, remote access or site-to-site.
Solved! Go to Solution.
03-27-2020 06:49 AM
I was able to reference a list of syslog ID's here: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html
And I was able to configure sysloging through platform setting: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/platform_settings_for_firepower_threat_defense.html#concept_8637BBD154854CA498A2DA66D55A115E
I am just tweaking the IDs that I need for remote access and IPSEC but these logs are exactly what I am looking for!
03-27-2020 06:49 AM
I was able to reference a list of syslog ID's here: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html
And I was able to configure sysloging through platform setting: https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/platform_settings_for_firepower_threat_defense.html#concept_8637BBD154854CA498A2DA66D55A115E
I am just tweaking the IDs that I need for remote access and IPSEC but these logs are exactly what I am looking for!
03-31-2020 11:42 AM
Did you just configure the FTD to send the VPN syslog over to Splunk? I am in the same boat and trying to decide if i need to do this to see logon/logoffs. did you forward them to a syslog server then on to the indexers of splunk? Any tips or tricks would be greatly appreciated as with this new "everyone remote" model we are in, there is a strong desire to see the VPN logs. I had assumed that the estreamer app would cover that. Thanks in advance!
03-31-2020 12:22 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide