Getting Logs from FTD Failover Cluster with FMC

Hoping someone might be able to point me in the right direction for getting different logs from our Firewall. Tried adding just auditing logs from our FMC into our Graylog Instance and nothing coming in. I have Windows logs coming in from other devices from different vlans so I know we are ok on the networking side. I just cant seem to determine the best way to get things like ACL hits, or intrustion events into our environment. I see Grok Extractors and pipelines, and in trying both just managed to confuse the hell out of myself. I guess it might even be helpfull to know what format that the logs would be coming out of the ftd’s. In the past, I would have a notification of an unknown source sending data and was able to troubleshoot from there. But now I’m all turned around…
Does anyone have any documentation they would be able to share?

Hey @gciarrocchi

What type of INPUT are you using for those Firewall Logs?

Actually figured out how to get them in. Using RAW/Plaintext UDP.

For the moment, just trying to get logs flowing from our different sources. Then try and teach myself how to get the data translated into workable info.

Hey @gciarrocchi

What I did a while back was create separate input for the different devices sending logs to Graylog.

Example: FireWall - Rawplaintext, Windows Servers- Beats , Linux servers - Syslog TCP, etc… that way if i need to adjust or modify my logs this makes it easier. Each device/s has there own Index set also.

Windows Server --> Windows Input Beats --> Windows Index set

When troubleshooting or modify logs this also helps out.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.