Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1598
Views
0
Helpful
0
Comments

How to - Syslog messages from firepower to cssp appliance and finally to Cisco threat response

babiojd01
Level 1
Level 1

‎12-28-2019 09:32 AM - edited ‎02-21-2020 10:04 PM

1. You want syslog events 430001? (Snort ips alerts) My scenario was FirePower services for ASA not FTD

Answer: Add logging host to your intrusion policy pointing to your CSSP appliance.

 

2. You want syslog events sent for file and malware?

Answer: Add another line in rsyslog.d/1-ips file on your CSSP specifying 430005. You can copy the line with 430001 and and change the second line from 430001 to 430005. Adjust your fmc access control policy in the logging tab adding checkbox for file and malware. Add your CSSP server as the receiver.

:rawmsg,contains,"430001", -/opt/cssp/logs/events/events.log

:rawmsg,contains,"430005", -/opt/cssp/logs/events/events.log

&~

 

3. You want Security Intelligence events sent to CSSP?

Answer: Change your current syslog entry in DNS, URL, and IP security intelligence section of your access control policy pointing the logging to your CSSP server. You will need to add another entry into your CSSP server rsyslog.d/1-ips file to include these messages. Create an additional line copying the line with 430001 but changing the number to 430002.

:rawmsg,contains,"430001", -/opt/cssp/logs/events/events.log

:rawmsg,contains,"430002", -/opt/cssp/logs/events/events.log

&~

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents