Help Documentation

Managed Detection and Response

Cisco Firepower Threat Defense Logs

Updated Nov 10, 2023

Configure Cisco FTD firewall syslog forwarding using Cisco FMC version 6.3 and newer

Note: After you configure these logs, changing the severity level of a log message can cause unexpected alerts. Contact your Concierge Security® Team (CST) if it is necessary to change a severity level.

You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

Steps

  1. Create a new policy.
  2. Configure syslog servers using Cisco FMC version 6.2 and older.
  3. Provide your Cisco FTD information to Arctic Wolf.

Step 1: Create a new policy

  1. Sign in to the FMC web UI.
  2. In the menu bar, click Devices > Platform Settings.
  3. If you want to create a new policy, complete these steps:

    Note: If you have an existing policy, it is not necessary to create a new policy. You can edit the existing policy instead.

    1. Click New Policy > Threat Defense Settings.

    2. In the New Policy dialog, configure these settings:

      • Name — Enter a name for the new policy.
      • Available Devices — Select an FTD device.

    3. Click Add to Policy.

      The device appears in the Selected Devices list.

    4. Click Save.

  4. Find the policy you want to configure, and then click Edit.
  5. In the navigation pane, click Syslog.
  6. On the Logging Setup tab, in the Basic Logging Settings section, select the Enable Logging checkbox.
  7. (Optional) If the device is in a high-availability (HA) pair, select the Enable Logging on the failover standby unit checkbox.
  8. In the Logging Destinations tab, click Add.
  9. On the Add Logging Filter dialog, configure these settings:
    • Logging Destination — Select Syslog Servers.
    • Event Class — Select Filter on Severity.
    • Severity — Select Informational.
  10. Click OK.

Step 2: Configure syslog servers using Cisco FMC version 6.3 and newer

  1. On the Syslog Settings tab, configure these settings:

    • Enable timestamp on each syslog message — Select the checkbox.
    • Timestamp Format — Select one of these timestamp formats:
      • Legacy — Matches your system time.
      • RFC5424 — Uses UTC time.
    • (Optional) Enable Syslog Device ID — If you want to add a device identifier prefix to syslog messages, select the checkbox, and then select the type of ID. For example, select Host Name to apply the host name of the device as a prefix to the syslog message.

  2. On the Syslog Servers tab, click Add to add a syslog server.

  3. In the Add Syslog Server dialog, configure these settings:

    • IP Address — Enter the IP address of the Arctic Wolf sensor.
    • Protocol — Select UDP.
    • Port — Enter 514.
    • Reachable By — Select Device Management Interface.

  4. Click OK.

  5. Click Save.

  6. Click Deploy > Deployment.

  7. Select your device, and then click Deploy.

    The Deployment Confirmation dialog box opens.

  8. In the Deployment Confirmation dialog, click Deploy.

Step 3: Provide your Cisco FTD information to Arctic Wolf

  1. Sign in to the Arctic Wolf® Unified Portal.

  2. Click Help > Open a New Ticket.

  3. On the Open a New Ticket page, configure these settings:

    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep blank.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname you used during the configuration.
      • Any questions or comments that you have.

  4. Click Send Message.

    Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.

See also