Cisco Firepower Threat Defense Logs
Updated Nov 10, 2023Configure Cisco FTD firewall syslog forwarding using standalone FDM version 6.4 and newer
Note: After you configure these logs, changing the severity level of a log message can cause unexpected alerts. Contact your Concierge Security® Team (CST) if it is necessary to change a severity level.
You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.
Requirements
- An activated Arctic Wolf Sensor
- Access to the Cisco Firepower Management Console (FMC) interface with administrator permissions
Steps
- Add a syslog server.
- Configure access rules using standalone FDM version 6.4 and newer.
- Provide your Cisco FTD information to Arctic Wolf.
Step 1: Add a syslog server
- Sign in to the FDM interface.
- In the menu bar, select Device: <device_name>, where
<device_name>
is the name of the device. - In the Systems Settings section, click Logging Settings.
- On the Logging Settings page, in the Remote Servers section, click the Data Logging toggle to the on position.
- In the Syslog Servers section, click +.
- In the dialog, select Add Syslog Server.
- In the Add Syslog Server dialog, configure these settings:
- IP Address — Enter the management IP address of the Arctic Wolf sensor.
- Protocol Type — Select UDP.
- Port Number — Enter
514
. - Interface for Device Logs — Select either Data Interface or Management Interface, and then select the appropriate value from the interface list.
Tip: This interface is usually named
Inside
or similar.
- Click OK.
- On the toolbar, click Device: <device_name>, where
<device_name>
is the name of the device. - On the Logging Settings page, in the Remote Servers section, select your syslog server.
- Configure these settings:
- Severity Level for FXOS chassis logs — Select Information.
- Message Filtering for Firepower Threat Defense section — Select Security level for filtering all events, and then select Information.
- File/Malware Logging — Click the toggle to the on position, and then select your syslog server.
- Log at Severity Level — Select Information.
- Click Save.
Step 2: Configure access rules using standalone FDM version 6.4 and newer
- Sign in to the FDM interface.
- In the menu bar, click Policies.
- For each rule that you want Arctic Wolf to log, complete these steps:
- Click Edit.
- On the Logging tab, in the Select Log Action section, select one of these values:
- At Beginning and End of Connection
- At End of Connection
- In the Edit logging settings dialog, in the Send connection events field, enter the IP address of the Arctic Wolf sensor.
- Click OK.
- For each policy that you want Arctic Wolf to log, complete these steps:
- Click Edit.
- In the Edit logging settings dialog, in the Send connection events field, enter the IP address of the Arctic Wolf sensor.
- Click OK.
- On the toolbar, click Deployment to review the pending changes.
- Select Deploy to deploy the changes.
Step 3: Provide your Cisco FTD information to Arctic Wolf
-
Sign in to the Arctic Wolf® Unified Portal.
-
Click Help > Open a New Ticket.
-
On the Open a New Ticket page, configure these settings:
- What is this ticket related to? — Select General request.
- Subject — Enter
Syslog changes
. - Related ticket (optional) — Keep blank.
- Message — Enter this information for your Concierge Security® Team (CST):
- Confirmation that you completed the steps in this configuration guide.
- The IP address or hostname you used during the configuration.
- Any questions or comments that you have.
-
Click Send Message.
Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.