Cisco Firepower Threat Defense Logs

Updated Nov 10, 2023

Configure Cisco FTD firewall syslog forwarding using standalone FDM version 6.4 and newer

Note: After you configure these logs, changing the severity level of a log message can cause unexpected alerts. Contact your Concierge Security® Team (CST) if it is necessary to change a severity level.

You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

Steps

  1. Add a syslog server.
  2. Configure access rules using standalone FDM version 6.4 and newer.
  3. Provide your Cisco FTD information to Arctic Wolf.

Step 1: Add a syslog server

  1. Sign in to the FDM interface.
  2. In the menu bar, select Device: <device_name>, where <device_name> is the name of the device.
  3. In the Systems Settings section, click Logging Settings.
  4. On the Logging Settings page, in the Remote Servers section, click the Data Logging toggle to the on position.
  5. In the Syslog Servers section, click +.
  6. In the dialog, select Add Syslog Server.
  7. In the Add Syslog Server dialog, configure these settings:
    • IP Address — Enter the management IP address of the Arctic Wolf sensor.
    • Protocol Type — Select UDP.
    • Port Number — Enter 514.
    • Interface for Device Logs — Select either Data Interface or Management Interface, and then select the appropriate value from the interface list.

      Tip: This interface is usually named Inside or similar.

  8. Click OK.
  9. On the toolbar, click Device: <device_name>, where <device_name> is the name of the device.
  10. On the Logging Settings page, in the Remote Servers section, select your syslog server.
  11. Configure these settings:
    • Severity Level for FXOS chassis logs — Select Information.
    • Message Filtering for Firepower Threat Defense section — Select Security level for filtering all events, and then select Information.
    • File/Malware Logging — Click the toggle to the on position, and then select your syslog server.
    • Log at Severity Level — Select Information.
  12. Click Save.

Step 2: Configure access rules using standalone FDM version 6.4 and newer

  1. Sign in to the FDM interface.
  2. In the menu bar, click Policies.
  3. For each rule that you want Arctic Wolf to log, complete these steps:
    1. Click Edit.
    2. On the Logging tab, in the Select Log Action section, select one of these values:
      • At Beginning and End of Connection
      • At End of Connection
    3. In the Edit logging settings dialog, in the Send connection events field, enter the IP address of the Arctic Wolf sensor.
    4. Click OK.
  4. For each policy that you want Arctic Wolf to log, complete these steps:
    1. Click Edit.
    2. In the Edit logging settings dialog, in the Send connection events field, enter the IP address of the Arctic Wolf sensor.
    3. Click OK.
  5. On the toolbar, click Deployment to review the pending changes.
  6. Select Deploy to deploy the changes.

Step 3: Provide your Cisco FTD information to Arctic Wolf

  1. Sign in to the Arctic Wolf® Unified Portal.

  2. Click Help > Open a New Ticket.

  3. On the Open a New Ticket page, configure these settings:

    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep blank.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname you used during the configuration.
      • Any questions or comments that you have.
  4. Click Send Message.

    Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.

See also