I did some searches here to see whether I could get any hits on Cisco Firepower Management Center - none.
I’m using the latest 18.104.22.168 (build 51) and wanted to send syslog stream to my existing Graylog 2.1.0+62db7e0, codename Smuttynose, which otherwise is receiving ton of logs from all over the place and I know it’s good and functioning correctly.
I was surprised to find that Graylog can not receive anything at all from FirePOWER. I figured it’s some simple on the Cisco end (like syslog not being enabled correctly) but there - the setup is just too simple. As a test I directed the syslog stream to Splunk and the logs show up just as expected. So I know the device is sending syslog just fine.
So I’m probably missing something about troubleshooting this on the Graylog side. If I go to inputs and watch all incoming traffic I do not see anything at all from the FP source. How can I troubleshoot this? It seems Graylog is rejecting the stream for some reason. What could that be? The format?
I even did “create extractor” in a hope to capture the incoming message from FP and “see” it but just as before - nada, no messages at all.
a few years ago Cisco did not send syslog in a format Graylog could receive. It might still be the case here. You can check out first if the logs are sent to Graylog by making a RAW/Plaintext TCP or UDP input for receiving the Cisco log. If it works, you can create the necessary extractors yourself for extracting the necessary fields.
Did you already try these: (https://marketplace.graylog.org/addons?tag=firepower)
In case they don’t work, this discussion: https://groups.google.com/forum/#!topic/graylog2/qbjL_Cji7eY has an example for extractors for ASA, which might or might not work in your case, too.
Thanks @jtkarvo – I will try the extractor. I couldn’t create a raw test extractor as you suggested since I am getting ton of other streams that will be affected but I do agree that Cisco is likely shorting the standard which is the cause of Graylog getting nothing from FP.
Sad to see this since syslog predates the company by decades…
you can probably set a custom rsyslog port on the Cisco side; using that you can send the Firepower logs to a different (=RAW) input than the other logs, use extractors and then, if necessary, forward to the same streams as the other log sources.
The extractor did it – Thank you @jtkarvo
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.