cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1723
Views
15
Helpful
18
Replies
Highlighted
Beginner

Authentication Attempts Logs On FTD FirePOWER 2130 or FTD Cisco ISA 3000

Community,

 

Has anyone been able to successfully get syslog messages from an FTD device for successful or failed authentication attempts via SSH? I have my FTD appliances (FirePOWER 2130 and FTD Cisco ISA 3000s) sending logs to a remote syslog server. I see the intrusion and acl logs but not user authentication logs. Any feedback would be appreciated. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

I tried on my FTD 6.4.0 version and it works.

I've a quick and dirty rules to show you an example.

 

Syslog message ID that is responsible for login and logout is: 199018

 

On FMC:

 

FMC-1.pngFMC-2.png

 

On splunk:

 

splunk.png

 

 

Let me know if that works for you as well


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

18 REPLIES 18
Highlighted
VIP Mentor

Hi

Are your devices managed by FMC?
If so, when you create platform settings configuration, into syslog menu:

- you can create an event list for auth with informational level on event lists tab.
- then under logging destination tab, you can tell that the previous created event list should be redirected to syslog.

This should do the trick. Have you tried it?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Thanks for the feedback, Francesco. Yes, the FTDs are managed by FMC. I did create an event list and syslog destinations in the syslog settings for auth but nothing. I see other logs from the system but not those. Involved Cisco TAC and two of them couldn’t figure something it out either. Cisco documentation shows that this type of logging is available to be configured as there are configuration options to configure it just like you mention but I fail to see those logs which baffles me. 

Highlighted

What version are you running?

I'll try on my 6.4.0 version and let you know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

I tried on my FTD 6.4.0 version and it works.

I've a quick and dirty rules to show you an example.

 

Syslog message ID that is responsible for login and logout is: 199018

 

On FMC:

 

FMC-1.pngFMC-2.png

 

On splunk:

 

splunk.png

 

 

Let me know if that works for you as well


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Highlighted

Thanks for that feedback. Below is my setup to mimick what you sent for testing. I have confirmed in the two external logging destinations that they are only seeing SYS LOG IDs of 199017, 430002 and 430003. There has to be something I am missing. My version of FMC is 6.3.0.77 

 

06-03-2019 12-54-51 PM.jpg06-03-2019 12-54-59 PM.jpg06-03-2019 12-55-13 PM.jpg06-03-2019 12-55-38 PM.jpg06-03-2019 12-56-00 PM.jpg

 

Highlighted

Thanks for that feedback. Below is my setup to mimick what you sent for testing. I have confirmed in the two external logging destinations that they are only seeing SYS LOG IDs of 199017, 430002 and 430003. There has to be something I am missing. My version of FMC is 6.3.0.77 

 

06-03-2019 12-54-51 PM.jpg06-03-2019 12-54-59 PM.jpg06-03-2019 12-55-13 PM.jpg06-03-2019 12-55-38 PM.jpg06-03-2019 12-56-00 PM.jpg

 

Highlighted

Ok don't have any 6.3 version to test.
Can you upgrade to 6.4 train and test again?
Otherwise no other choice to wait tac feedback to see why you're not getting logs like me in your running version.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

I upgrade both FMC and the FTD 2130 and I still dont see the appropriate message Sys ID I need. Quite odd. I now have the same setup as you do above and I am still missing those logs. 

Highlighted

I upgrade both FMC and the FTD 2130 and I still dont see the appropriate message Sys ID I need. Quite odd. I now have the same setup as you do above and I am still missing those logs. 

Highlighted

Sorry for the confusion here. I actually did away with the plenty of logs that were coming through to the device and used the range 101001-199021 to see if anything would go through. I got the syslog ID for 199018 for successful authentication. However, for the unsuccessful authentication. I dont get that. Anyone know what that would be. I am going to try the whole range and see if anything comes through. 

Highlighted

I believe it's 605004 and 605005 that would enough to get successful and denied as well but not sure 100%.
There's a link on Cisco if you search for Cisco ftd syslog message id and you'll be able to confirm and test it.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

After working with several TAC engineers, there appears to be no resolution at the moment. While we can get a log message for successful authentication to the FTD 2130s and ISA 3000s, we can not get a log message for invalid or failed authentication attempts. I tested with a brute force attack via SSH more that 1K times and not a single message was logged on the asset that someone was attempting to log in and trying to do so with bad credentials. Eventually a bug was provided and it was updated today to include the 2100s. Waiting to see if the ISA 3000s will be added and wait for the resolution. 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm16200/?rfs=iqvred

 

 

Highlighted

Thanks for letting us know the TAC's findings.

I notice they filed that as an enhancement request. I'd argue it should be a defect.

Highlighted

Still working on the issue with our entity's Cisco SE. I have tested this multiple attempts to no avail. Issue was raised to Cisco's BU. The BU thinks that the functionality to log failed log attempts was added in 6.4 code. I have done extensive testing on 6.4 code including the 6.4.0.1 patched code. No dice. Will see if the issue can be raised further as a bug for a fix.