Cisco Firepower Threat Defense Logs
Updated Nov 10, 2023Configure Cisco FTD firewall syslog forwarding using Cisco FMC version 6.2 and older
Note: After you configure these logs, changing the severity level of a log message can cause unexpected alerts. Contact your Concierge Security® Team (CST) if it is necessary to change a severity level.
You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.
Requirements
- An activated Arctic Wolf Sensor
- Access to the Cisco Firepower Management Console (FMC) web UI with administrator permissions
Steps
- Create a new policy.
- Configure syslog servers using Cisco FMC version 6.2 and older.
- Provide your Cisco FTD information to Arctic Wolf.
Step 1: Create a new policy
- Sign in to the FMC web UI.
- In the menu bar, click Devices > Platform Settings.
- If you want to create a new policy, complete these steps:
Note: If you have an existing policy, it is not necessary to create a new policy. You can edit the existing policy instead.
- Click New Policy > Threat Defense Settings.
- In the Name field, enter a name for the new policy.
- Select an FTD device to add to the policy, and then click Add to Policy.
- Click Save.
- Find the policy you want to configure, and then click Edit.
- In the navigation menu, click Syslog.
- On the Logging Setup tab, in the Basic Logging Settings section, select the Enable Logging checkbox.
- (Optional) If the device is in a high-availability (HA) pair, select the Enable Logging on the failover standby unit checkbox.
- On the Logging Destinations tab, click Add.
- In the Add Logging Filter dialog, configure these settings:
- Logging Destination — Select Syslog Servers.
- Event Class — Select Filter on Severity.
- Severity — Select Informational.
- Click OK.
Step 2: Configure syslog servers using Cisco FMC version 6.2 and older
- On the Syslog Settings tab, configure these settings:
- Enable timestamp on each syslog message — Select the checkbox.
- Timestamp Format — Select one of these timestamp formats:
- Legacy — Matches your system time.
- RFC5424 — Uses UTC time.
- (Optional) Enable Syslog Device ID — If you want to add a device identifier prefix to syslog messages, select the checkbox, and then select the type of ID. For example, select Host Name to apply the host name of the device as a prefix to the syslog message.
- On the Syslog Servers tab, click Add.
- In the dialog, configure these settings:
- IP Address — Enter the IP address of the Arctic Wolf sensor.
- Protocol — Select UDP.
- Port — Enter
514
.
- If the firewall is in:
- Routed mode — In the Selected Zones/Interfaces section, add the zone through which the sensor is reachable.
- Transparent mode — In the Selected Zones/Interfaces section, enter the logical name of the FTD diagnostic interface. The default name is
diagnostic
.
- Save and close the dialog.
- Click Save.
- Click Deploy.
Step 3: Provide your Cisco FTD information to Arctic Wolf
-
Sign in to the Arctic Wolf® Unified Portal.
-
Click Help > Open a New Ticket.
-
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter
Syslog changes
. - Related ticket (optional) — Keep blank.
- Message — Enter this information for your Concierge Security® Team (CST):
- Confirmation that you completed the steps in this configuration guide.
- The IP address or hostname you used during the configuration.
- Any questions or comments that you have.
-
Click Send Message.
Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.