Cisco Firepower Threat Defense Logs

Updated Nov 10, 2023

Configure Cisco FTD firewall syslog forwarding using Cisco FMC version 6.2 and older

Note: After you configure these logs, changing the severity level of a log message can cause unexpected alerts. Contact your Concierge Security® Team (CST) if it is necessary to change a severity level.

You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

Steps

  1. Create a new policy.
  2. Configure syslog servers using Cisco FMC version 6.2 and older.
  3. Provide your Cisco FTD information to Arctic Wolf.

Step 1: Create a new policy

  1. Sign in to the FMC web UI.
  2. In the menu bar, click Devices > Platform Settings.
  3. If you want to create a new policy, complete these steps:

    Note: If you have an existing policy, it is not necessary to create a new policy. You can edit the existing policy instead.

    1. Click New Policy > Threat Defense Settings.
    2. In the Name field, enter a name for the new policy.
    3. Select an FTD device to add to the policy, and then click Add to Policy.
    4. Click Save.
  4. Find the policy you want to configure, and then click Edit.
  5. In the navigation menu, click Syslog.
  6. On the Logging Setup tab, in the Basic Logging Settings section, select the Enable Logging checkbox.
  7. (Optional) If the device is in a high-availability (HA) pair, select the Enable Logging on the failover standby unit checkbox.
  8. On the Logging Destinations tab, click Add.
  9. In the Add Logging Filter dialog, configure these settings:
    • Logging Destination — Select Syslog Servers.
    • Event Class — Select Filter on Severity.
    • Severity — Select Informational.
  10. Click OK.

Step 2: Configure syslog servers using Cisco FMC version 6.2 and older

  1. On the Syslog Settings tab, configure these settings:
    • Enable timestamp on each syslog message — Select the checkbox.
    • Timestamp Format — Select one of these timestamp formats:
      • Legacy — Matches your system time.
      • RFC5424 — Uses UTC time.
    • (Optional) Enable Syslog Device ID — If you want to add a device identifier prefix to syslog messages, select the checkbox, and then select the type of ID. For example, select Host Name to apply the host name of the device as a prefix to the syslog message.
  2. On the Syslog Servers tab, click Add.
  3. In the dialog, configure these settings:
    • IP Address — Enter the IP address of the Arctic Wolf sensor.
    • Protocol — Select UDP.
    • Port — Enter 514.
  4. If the firewall is in:
    • Routed mode — In the Selected Zones/Interfaces section, add the zone through which the sensor is reachable.
    • Transparent mode — In the Selected Zones/Interfaces section, enter the logical name of the FTD diagnostic interface. The default name is diagnostic.
  5. Save and close the dialog.
  6. Click Save.
  7. Click Deploy.

Step 3: Provide your Cisco FTD information to Arctic Wolf

  1. Sign in to the Arctic Wolf® Unified Portal.

  2. Click Help > Open a New Ticket.

  3. On the Open a New Ticket page, configure these settings:

    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep blank.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname you used during the configuration.
      • Any questions or comments that you have.
  4. Click Send Message.

    Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.

See also