Help Documentation

Managed Detection and Response

Cisco Firepower Threat Defense Logs

Updated Aug 31, 2023

Configure Cisco Firepower Threat Defense to send logs to Arctic Wolf

You can configure syslog forwarding for Cisco Firepower Threat Defense® (FTD) software using one of these methods:

Note: After you configure these logs, changing the severity level of a log message may cause unexpected alerts. If you need to change a severity level, contact your Concierge Security® Team (CST) for assistance.

Requirements

Configure Cisco FTD firewall syslog forwarding using standalone FDM version 6.4 and newer

Note: Firepower Device Manager (FDM) versions 6.3 and earlier follow similar steps.

  1. Sign in to the FDM interface.
  2. In the menu bar, select Device: <device_name>, where <device_name> is the name of the device.
  3. Locate the Systems Settings section and then select Logging Settings.

    Tip: You may need to scroll down to view this section heading.

  4. On the Logging Settings page, locate the Remote Servers section and then turn on the Data Logging toggle.
  5. In the Syslog Servers section, click +.
  6. In the dialog box, select Add Syslog Server.
  7. In the Add Syslog Server dialog box, enter these values:
    • IP Address — Enter the management IP address of the Arctic Wolf Sensor.
    • Protocol Type — Select UDP.
    • Port Number — Enter 514.
    • Interface for Device Logs — Select Data Interface or Management Interface, as desired for your configuration, and then select the appropriate value from the interface list.

      Tip: This interface is usually named Inside or similar.

  8. Click OK to save the new syslog server.
  9. In the toolbar, select Device: <device_name>, where <device_name> is the name of the device, to return to the device home page.
  10. On the Logging Settings page, in the Remote Servers section, select your syslog server.
  11. Enter these values:
    • Severity Level for FXOS chassis logs — Select Information from the list.
    • Message Filtering for Firepower Threat Defense section — Select Security level for filtering all events and then select Information from the list.
    • Turn on the File/Malware Logging toggle, and then select your syslog server.
    • Log at Severity Level — Select Information from the list.
  12. Click Save to save the remote servers.
  13. Proceed to Configure access rules using standalone FDM version 6.4 and newer.

Configure access rules using standalone FDM version 6.4 and newer

  1. Sign in to the FDM interface.
  2. In the menu bar, select Policies.
  3. For each access rule you want logged:
    1. Select Edit to edit the access rule.
    2. Select the Logging tab.
    3. Select one of these values in the Select Log Action section:
      • At Beginning and End of Connection
      • At End of Connection
    4. In the Edit logging settings dialog box, enter the IP address of the Arctic Wolf Sensor in the Send connection events field.
    5. Click OK to save and close the dialog box.
  4. For each policy you want logged:
    1. Select Edit to edit the policy logging settings.
    2. In the Edit logging settings dialog box, enter the IP address of the Arctic Wolf Sensor in the Send connection events field.
    3. Click OK to save and close the dialog box.
  5. In the toolbar, select Deployment to review the pending changes.
  6. Once the changes are confirmed, select Deploy to deploy the changes.
  7. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding.

Configure Cisco FTD firewall syslog forwarding using Cisco FMC version 6.3 and newer

  1. Sign in to the Cisco Firepower Management Console (FMC) web UI.

  2. In the menu bar, select Devices > Platform Settings.

  3. If you want to create a new policy:

    Note: If you have an existing policy, you can skip this step and edit that policy instead.

    1. Select New Policy > Threat Defense Settings.

    2. In the New Policy dialog box, create a new policy:

      1. In the Name section, enter a name for the new policy.
      2. Select an FTD device in the Available Devices list.
      3. Click Add to Policy.

      The device now appears in the Selected Devices list.

    3. Click Save to save and close the dialog box.

  4. Locate the row of the policy you want to configure and then click Edit.

  5. In the navigation pane, select Syslog.

    The Logging Setup tab is open by default.

  6. In the Basic Logging Settings section, select Enable Logging.

  7. (Optional) If the device is in a high-availability (HA) pair, select Enable Logging on the failover standby unit.

  8. Click the Logging Destinations tab.

  9. Select Add to add logging destinations of the syslog server.

  10. In the Add Logging Filter dialog box, enter these values:

    • Logging Destination — Select Syslog Servers.
    • Event Class — Select Filter on Severity.
    • Severity — Select Informational.

  11. Proceed to Configure syslog servers using Cisco FMC version 6.3 and newer.

Configure syslog servers using Cisco FMC version 6.3 and newer

  1. Select the Syslog Settings tab and enter these values:

    1. Select Enable timestamp on each syslog message to include the date and time a message was generated in the syslog message.
    2. Choose a timestamp format.

      Note: Legacy matches your system time, while RFC5424 uses UTC time.

    3. (Optional) If you want to add a device identifier prefix to syslog messages, select Enable Syslog Device ID and then select the type of ID. For example, select Host Name to apply the host name of the device as a prefix to the syslog message.

  2. Select the Syslog Servers tab.

  3. Select Add to add a syslog server.

  4. In the Add Syslog Server dialog box, enter these values:

    • IP Address — Enter the IP address of the Arctic Wolf Sensor.
    • Protocol — Select UDP.
    • Port — Enter 514.
    • Reachable By — Select Device Management Interface.

  5. Click OK to save the new syslog server and close the dialog box.

  6. Click Save to save the changes.

  7. Click Deploy > Deployment.

  8. Select your device and click Deploy.

    The Deployment Confirmation dialog box opens.

  9. In the Deployment Confirmation dialog box, click Deploy to confirm the deployment of pending changes.

  10. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding.

Configure Cisco FTD firewall syslog forwarding using Cisco FMC version 6.2 and older

  1. Sign in to the FMC web UI.
  2. In the menu bar, select Devices > Platform Settings.
  3. If you want to create a new policy:

    Note: If you have an existing policy, you can skip this step and edit that policy instead.

    1. Click New Policy > Threat Defense Settings.
    2. In the Name field, enter a name for the new policy.
    3. Select an FTD device to add to the policy, and click Add to Policy.
    4. Click Save.
  4. Locate the row of the policy that you want to configure and then click Edit.
  5. In the navigation pane, select Syslog.
  6. Select Enable Logging.
  7. (Optional) If the device is in a high-availability (HA) pair, select Enable Logging on the failover standby unit.
  8. Select the Logging Destinations tab and then select Add to add logging destinations of the syslog server.
  9. In the Add Logging Filter dialog box, enter these values:
    • Logging Destination — Select Syslog Servers.
    • Event Class — Select Filter on Severity.
    • Severity — Select Informational.
  10. Save and close the dialog box.
  11. Proceed to Configure syslog servers using Cisco FMC version 6.2 and older.

Configure syslog servers using Cisco FMC version 6.2 and older

  1. Select the Syslog Settings tab and enter these values:
    1. Select Enable timestamp on each Syslog Message to include the date and time a message was generated in the syslog message.
    2. Choose a timestamp format.

      Note: Legacy matches your system time, while RFC5424 uses UTC time.

    3. (Optional) If you want to add a device identifier prefix to syslog messages, select Enable Syslog Device ID and then select the type of ID. For example, select Host Name to apply the host name of the device as a prefix to the syslog message.
  2. Select the Syslog Servers tab and enter these values:
    1. Select Add to add a syslog server. A dialog box opens.
    2. In the dialog box, enter these values:
      • IP Address — Enter the IP address of the Arctic Wolf Sensor.
      • Protocol — Select UDP.
      • Port — Enter 514.
    3. If the firewall is in:
      • Routed mode — Add the zone through which the sensor is reachable to the Selected Zones/Interfaces area.
      • Transparent mode — Enter the logical name of the FTD diagnostic interface and add it to the Selected Zones/Interfaces area. The default name is diagnostic.
  3. Save and close the dialog box.
  4. Click Save.
  5. Click Deploy to deploy the pending changes.
  6. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding.