Cisco Firepower and Intrusion events

Hi, New to graylog… got it working for my cisco asa 5508-x with firepower however, it is not working with the intrusion events. (works great for rule events)

I have configured the firepower intrusion policy to do SNMP to my graylog server and to use syslog (just trying to get one or the other working)… In graylog I have 2 inputs, one for SNMP which is using port 162 and one for syslog udp 514. I did use the authbind to allow the ports to be used on my ubuntu box. All the configuration looks right as far as I can tell, just when I generate an intrusion event it shows in the real time monitoring of the Cisco Firepower box, but no logs show up in either of those inputs in graylog.

Any help would be much appreciated.
Cheers,

Graylog out of box doesn’t support SNMP input. Do you use som plugin for it?
Second, check your search and find messages for 1 day, or try Absolute time range. It’s usually problem with timestamp, if device doesn’t send proper syslog message.

Yes I used a plugin, but I was trying both SNMP and syslog… I generally dont care which one I use I was ttrying to make either one work.

Try to run tcpdump on graylog box to check if something received on port 514 udp.
For example use this command, generate intrusion event, and check tcpdump output:

sudo tcpdump -A -n -vv -i ens160 port 514

Note: Change your interface name ens160, if different

It seems to be working now however the events are significantly delayed in reaching the graylog server.

are the logs delayed or is the timestamp of the logs not in sync?

They are delayed, I generate traffic to send logs and they take 15 minutes roughly to show up.

But where is that delay coming from? Did you checked if that traffic reach Graylog in time and the delay is produced in Graylog or if that is send with delay from your Firepower?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.