Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4086
Views
15
Helpful
8
Replies

How to log anyconnect sessions in syslog using FDM

Go to solution
zachlin19381
Level 1
Level 1

‎01-19-2021 01:20 AM

I would like to know if it is possible to setup my Firepower 1010 using FDM to log events from when my users log on and off the anyconnect client,I can not find a option to setup.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-27-2021 04:33 AM

The event viewer in FDM won't show messages related to VPN user logon/logoff. However those actions do generate syslog messages.

You can add a syslog server and then configure FTD to send events to it. They can be of a defined level (Emergency, Alert, Critical etc.) or you can create a customer filter with just the syslog messages you want. You'd then have to use the display in the syslog server to see the information.

That's not very useful but it's what's available natively as of FTD 6.7 when managed only with FDM. If you use FMC or CDO more useful displays are available - especially with CDO. It interacts with the FTD device via API to retrieve the relevant information and display it graphically.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-19-2021 01:32 AM

FDM have limited capabilited, what is the source of authentiation ? you can get data from AD or Radius  ? based on config?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
zachlin19381
Level 1
Level 1
In response to balaji.bandi

‎01-19-2021 01:48 AM

I’m using local...

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to zachlin19381

‎01-19-2021 02:22 AM

Then using FDM event viewer.
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-19-2021 01:59 AM

Hi,

FTD have logs for anyconnect login/logoff. You should be able to view them
using FDM Event viewer or configure remote logging server.

***** please remember to rate useful posts

Go to solution
zachlin19381
Level 1
Level 1
In response to Mohammed al Baqari

‎01-19-2021 04:56 PM

 

I can not see any about anyconnect login/logoff in event viewer using FDM...

Could you show me where can i find?  please 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-27-2021 04:33 AM

The event viewer in FDM won't show messages related to VPN user logon/logoff. However those actions do generate syslog messages.

You can add a syslog server and then configure FTD to send events to it. They can be of a defined level (Emergency, Alert, Critical etc.) or you can create a customer filter with just the syslog messages you want. You'd then have to use the display in the syslog server to see the information.

That's not very useful but it's what's available natively as of FTD 6.7 when managed only with FDM. If you use FMC or CDO more useful displays are available - especially with CDO. It interacts with the FTD device via API to retrieve the relevant information and display it graphically.

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1

‎12-15-2021 10:38 PM - edited ‎12-16-2021 09:31 AM

Here is a basic step by step walkthrough on how to log Anyconnect VPN connections with FDM and FTD to a syslog server.

 

First, find out the syslog level that you want going to your syslog server. For example, I am using "Critical", so I will use that in this example.

1) Go to "Objects" -> "Event List Filters"

2) Click the "+" next to "Add a new Event List Filter"

3) Give the filter a name, such as "syslog-critical-withvpn"

4) Click the "+" next to "Severity and Log Class", choose "Critical", and click "OK"

5) Click "Please select Log Class" and checkmark the desired classes (I checkmarked all of them)

6) In the "Syslog Range / Message ID", enter "109201-109203"

7) Click "Add Another Syslog Range / Message ID" and enter "716001 - 716002"

8 Click "OK" to add the new filter

9) Click "Device: DeviceName" -> "Logging Settings"

10) Under "Syslog Servers", if you haven't added your server yet, click the "+" and add your server

11) Under "Message Filtering for Firepower Threat Defense", click "Custom Logging Filter" and choose "syslog-critical-withvpn"

12) Click "SAVE"

13) Deploy the changes

 

The secret here is the custom logging filter. The documentation is not clear whether the syslog level combines with the MessageID range, or filters by the MessageID range.

 

The answer is it COMBINES with the MessageID range, so you can have both!

(The FDM only allows you to pick only one custom filter for the syslog server, so that's why it is important to be able to do this)

 

And now you now have an easy way to add further Message Id's for syslogging, by simply going to edit the custom filter and adding more sets of Message Id's!

 

Here is a list of available syslog message ID's to pick from:

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html

 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to bcoverstone

‎12-16-2021 03:39 AM

@bcoverstone nice write up - thanks for sharing your work

0 Helpful
Customers Also Viewed These Support Documents