6 Comments

  1. Piyush Sharma
    July 16, 2018 @ 10:46 pm

    HI Todd,

    When enabling syslog on ACP, will the Snort Process always sends envet to FMC, then FMC sends the logs to the syslog server.

    is there is any way that snort process logs directly send to syslog server.

    How many syslog server we can configure in FMC…??

    We are having multiple sites and they are managed by central FMC, but we want logs (Lina and Snort) of every location on their location not to the FMC, can we directly send Snort logs to syslog server, as per your document we can have logs from Lina to local syslog, but is it also possible to Snort logs..??

    Reply

    • lammle
      July 17, 2018 @ 6:59 am

      Yes, you can.
      You can send Syslog from ACP rules, for example, or from the Platform settings of the devices themselves, and they talk directly to the Syslog servers.
      You can configure 16 syslog servers, and each configuration can control the amount of messages and events sent to each server. You can also configure the destinations: console, email, internal buffer, etc.

      Appreciate you writing! we do consulting services too, if interested! 🙂
      Todd Lammle

      Reply

      • Piyush Sharma
        August 6, 2018 @ 4:55 am

        Thanks Todd..:)

        Reply

  2. John Sheahan
    October 25, 2018 @ 9:42 am

    Todd, How do I get this information in my SYSLOG data from the FMC?
    an 30 08:52:27 FPR2110-LAB-P SFIMS: Protocol: TCP
    SrcIP: 172.16.0.101
    OriginalClientIP: ::
    DstIP: 136.243.5.166
    SrcPort: 59143
    DstPort: 443
    TCPFlags: 0x0
    IngressZone: LAN
    EgressZone: INTERNET
    DE: Primary Detection Engine (61cf9bfe-6c84-11e7-9bbc-b2da5b7afba6)
    Policy: FPR2110-DEF-ACP
    ConnectType: Start
    AccessControlRuleName: internet-access
    AccessControlRuleAction: Allow
    Prefilter Policy: prefilter-test
    UserName: No Authentication Required
    Client: SSL client
    ApplicationProtocol: HTTPS
    InitiatorPackets: 3
    ResponderPackets: 1
    InitiatorBytes: 691
    ResponderBytes: 66
    NAPPolicy: Balanced Security and Connectivity
    DNSResponseType: No Error
    Sinkhole: Unknown
    URLCategory: Web Advertisements
    URLReputation: Well known
    URL: https://dc546.s372.meetrics.net

    Reply

  3. John Smith
    October 25, 2018 @ 9:42 am

    Todd, How do I get this information in my SYSLOG data from the FMC?
    an 30 08:52:27 FPR2110-LAB-P SFIMS: Protocol: TCP
    SrcIP: 172.16.0.101
    OriginalClientIP: ::
    DstIP: 136.243.5.166
    SrcPort: 59143
    DstPort: 443
    TCPFlags: 0x0
    IngressZone: LAN
    EgressZone: INTERNET
    DE: Primary Detection Engine (61cf9bfe-6c84-11e7-9bbc-b2da5b7afba6)
    Policy: FPR2110-DEF-ACP
    ConnectType: Start
    AccessControlRuleName: internet-access
    AccessControlRuleAction: Allow
    Prefilter Policy: prefilter-test
    UserName: No Authentication Required
    Client: SSL client
    ApplicationProtocol: HTTPS
    InitiatorPackets: 3
    ResponderPackets: 1
    InitiatorBytes: 691
    ResponderBytes: 66
    NAPPolicy: Balanced Security and Connectivity
    DNSResponseType: No Error
    Sinkhole: Unknown
    URLCategory: Web Advertisements
    URLReputation: Well known
    URL: https://dc546.s372.meetrics.net

    Reply

    • lammle
      October 28, 2018 @ 10:15 am

      So that looks like a packet trace, and probably the best way is to get this from your FTD device by configuring the Platform settings.
      If you configure the Syslog alerting on the FMC you’ll get information based on your logging setup on your rules in your ACP, but it won’t give you a packet tracer output.
      The FTD logging is still underdeveloped and needs work for sure.
      I wish I had better answers for you as this is a point of contention for all my customers.
      Todd

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *