Cisco Firepower Management Center syslog decoding


(bubba198) #1

Hi everyone,

I did some searches here to see whether I could get any hits on Cisco Firepower Management Center - none.

I’m using the latest 6.2.0.2 (build 51) and wanted to send syslog stream to my existing Graylog 2.1.0+62db7e0, codename Smuttynose, which otherwise is receiving ton of logs from all over the place and I know it’s good and functioning correctly.

I was surprised to find that Graylog can not receive anything at all from FirePOWER. I figured it’s some simple on the Cisco end (like syslog not being enabled correctly) but there - the setup is just too simple. As a test I directed the syslog stream to Splunk and the logs show up just as expected. So I know the device is sending syslog just fine.

So I’m probably missing something about troubleshooting this on the Graylog side. If I go to inputs and watch all incoming traffic I do not see anything at all from the FP source. How can I troubleshoot this? It seems Graylog is rejecting the stream for some reason. What could that be? The format?

I even did “create extractor” in a hope to capture the incoming message from FP and “see” it but just as before - nada, no messages at all.

Thank you
~B


#2

hi,

a few years ago Cisco did not send syslog in a format Graylog could receive. It might still be the case here. You can check out first if the logs are sent to Graylog by making a RAW/Plaintext TCP or UDP input for receiving the Cisco log. If it works, you can create the necessary extractors yourself for extracting the necessary fields.

Did you already try these: (https://marketplace.graylog.org/addons?tag=firepower)

In case they don’t work, this discussion: https://groups.google.com/forum/#!topic/graylog2/qbjL_Cji7eY has an example for extractors for ASA, which might or might not work in your case, too.


(bubba198) #3

Thanks @jtkarvo – I will try the extractor. I couldn’t create a raw test extractor as you suggested since I am getting ton of other streams that will be affected but I do agree that Cisco is likely shorting the standard which is the cause of Graylog getting nothing from FP.

Sad to see this since syslog predates the company by decades…

~B


#4

hi,

you can probably set a custom rsyslog port on the Cisco side; using that you can send the Firepower logs to a different (=RAW) input than the other logs, use extractors and then, if necessary, forward to the same streams as the other log sources.


(bubba198) #5

The extractor did it – Thank you @jtkarvo


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.