This document describes the logging configuration for a firepower threat defense via firepower management system.
Basically, you will need to configure the Cisco device to send syslog (on port 514) and netflow (on port 9995) to the ARIA CCE IP address.
TABLE OF CONTENTS
- 1. Configuration Steps
- 2. Configure Global Syslog Configuration
- 3. Cisco Firepower FTD NetFlow Configuration
1. Configuration Steps
- Navigate to the Platform Settings tab under the Devices tab.
- Select New Policy > Threat Defense Settings to create a new FTD policy.
- Choose the FTD appliance to apply this policy to and select Save.
2. Configure Global Syslog Configuration
There are certain configurations which are applicable for both Local and External Logging. This section outlines the mandatory and optional parameters which can be configured for syslog.
2.1 Logging Setup
Logging setup options are applicable for local and external logging. In order to configure logging setup, choose Devices > Platform Settings and select syslog > Logging Setup.
Complete the selections below:
- Enable Logging: Select this checkbox to enable logging. This is a mandatory option.
- Enable logging on the failover standby unit: Select this checkbox to enable logging on the standby FTD which is a part of an FTD high availability cluster.
- Send syslog in EMBLEM format: Select this checkbox to enable the format of syslog as EMBLEM format is used primarily for the CiscoWorks Resources Manager Essential (RME) syslog analyzer. This format matches the Cisco IOS Software Syslog format produced by the routers and the switches. It is available only to UDP Syslog servers.
- Send debug messages as syslogs: Select this checkbox to send the debug logs as Syslog messages to the Syslog server.
- Memory size of the internal Buffer: Enter the internal memory buffer size where FTD can save the log data. The log data is rotated if its buffer limit is reached.
2.2 FTP Server Information (Optional)
Specify FTP server details if you want to send the log data to the FTP server before it overwrites the internal buffer.
- FTP Server Buffer Wrap: Select this checkbox to send the buffer log data to the FTP server.
- IP address: Enter the IP address of the FTP server.
- Username: Enter the username of the FTP server.
- Path: Enter the directory path of the FTP server.
- Password: Enter the password of the FTP server.
- Confirm: Enter the same password again.
2.3 Flash Size (Optional)
Specify the flash size if you want to save the log data to flash once the internal buffer is full.
- Flash: Select this checkbox to send the log data to the internal flash.
- Maximum Flash to be used by Logging(KB): Enter the maximum size in KB of flash memory which can be used for logging.
- Minimum free Space to be preserved(KB): Enter the minimum size in KB of the flash memory which needs to be preserved.
Click Save in order to save the platform setting. Choose the Deploy option, choose the FTD appliance where you want to apply the changes, and click Deploy in order to start deployment of the platform setting.
2.4 Configure Event Lists
The Configure Event Lists option allows you to create/edit an event list and specify which log data to include in the event list filter. Event Lists can be used when you configure Logging Filters under Logging destinations.
The system allows two options to use the functionality of custom event lists.
- Class and Severity
- Message ID
To configure custom event lists, choose Device > Platform Setting > Threat Defense Policy > Syslog > Event List and click Add. You will see these options:
- Name: Enter the name of the event list.
- Severity/Event Class: In the Severity/Event Class section, click Add.
- Event Class: Choose the event class from the drop-down list for the type of log data which you want. An Event class defines a set of Syslog rules that represent the same features. For example, there is an event class for the session which includes all the Syslogs that relate to the session.
- Syslog Severity: Choose the severity from the drop-down list for the chosen Event Class. The severity can range from 0 (emergency) to 7 (debugging).
- Message ID: If you are interested in specific log data related to a message ID, then click Add in order to put a filter based upon the message ID.
- Message IDs: Specify the message ID as individual/ range format.
Click OK to save the configuration.
Click Save to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy to start deployment of the platform setting.
2.5 Rate Limiting Syslog
The Rate limit option defines a number of messages which can be sent to all configured destinations and defines the severity of message to which you want to assign rate limits. In order to configure custom event lists, choose Device > Platform Setting > Threat Defense Policy > Syslog > Rate Limit. You have two options based on which you can specify the rate limit:
- Logging level
- Syslog levels
To enable the logging level-based rate limit, choose Logging Level and click Add.
- Logging Level: From the Logging Level drop-down list, choose the logging level for which you want to perform the rate limiting.
- Number of Messages: Enter the maximum number of syslog messages to be received within the specified interval.
- Interval(Second): Based on the parameter Number of Messages configured previously, enter the time interval in which a fixed set of Syslog messages can be received.
The rate of Syslog is Number of Messages/Interval.
Click OK to save the logging level configuration.
To enable the logging level-based rate limit, choose Logging Level and click Add.
- Syslog ID: Syslog IDs are used to uniquely identify the Syslog messages. From the Syslog ID drop-down list, choose the Syslog ID.
- Number of Messages: Enter the maximum number of syslog messages to be received within the specified interval.
- Interval(Second): Based on the parameter Number of Messages configured previously, enter the time interval in which a fixed set of Syslog messages can be received.
The rate of Syslog is Number of Messages/Interval.
Click OK to save the Syslog level configuration.
Click Save to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy to start deployment of the platform setting.
2.6 Configure Syslog Settings
Syslog settings allow configuration of the Facility values to be included in the Syslog messages. You can also include the timestamp in log messages and other Syslog server-specific parameters. To configure custom event lists, choose Device > Platform Setting > Threat Defense Policy > Syslog > Syslog Settings.
- Facility: A facility code is used to specify the type of program that is logging the message. Messages with different facilities can be handled differently. From the Facility drop-down list, choose the facility value.
- Enable Timestamp on each Syslog Message: Check the Enable Timestamp on each Syslog Message checkbox in order to include the time stamp in Syslog messages.
- Enable Syslog Device ID: Check the Enable Syslog Device ID checkbox in order to include a device ID in non-EMBLEM-format Syslog messages.
- NetFlow Equivalent Syslogs: Check NetFlow Equivalent Syslogs checkbox in order to send NetFlow equivalent Syslogs. It can affect the appliance performance.
- Add Specific Syslog ID: In order to specify the additional Syslog ID, click Add and specify the Syslog ID/ Logging Level checkbox.
Click Save to save the platform setting. Choose Deploy, choose the FTD appliance where you want to apply the changes, and click Deploy to start deployment of the platform setting.
2.7 Configure Local Logging
Use the Logging Destination section to configure logging to specific destinations.
The available internal logging destinations are:
- Internal Buffer: Logs to the internal logging buffer (logging buffered)
- Console: Sends logs to the console (logging console)
- SSH sessions: Logs Syslog to SSH sessions (terminal monitor)
There are four steps to configure Local Logging.
- Choose Device > Platform Setting > Threat Defense Policy > Syslog > Logging Destinations.
- Click Add to add a Logging Filter for a specific logging destination.
- Configure the following settings:
- Logging Destination: Choose the required logging destination from the Logging Destination drop-down list as Internal Buffer, Console, or SSH sessions.
- Event Class: From the Event Class drop-down list, choose an Event class. As described previously, Event Classes are a set of Syslogs that represent the same features. Event classes can be selected in these ways:
- Filter on Severity: Event Classes filters based on the severity of the Syslogs.
- Use Event List: Administrators can create specific Event Lists with their own custom event classes and reference them in this section.
- Disable Logging: Use this option in order to disable logging for the chosen Logging Destination and Logging Level.
- Logging Level: Choose the logging level from the drop-down list. The logging level range is from 0 (Emergencies) to 7 (debugging).
- To add a separate Event class to this Logging filter, click Add.
- Configure the following settings:
- Event Class: Choose the Event Class from the Event Class drop-down list.
- Syslog Severity: Choose the Syslog severity from the Syslog Severity drop-down list.
- Select OK.
- Select Save.
To deploy the changes, select Deploy, choose the FTD appliance where you want to apply the changes, and select Deploy.
2.8 Configure the External Logging
To configure external logging, choose Device > Platform Setting > Threat Defense Policy > Syslog > Logging Destinations.
FTD supports these types of external logging.
- Syslog Server: Sends logs to the remote Syslog server.
- SNMP trap: Sends the logs out as an SNMP trap.
- E-Mail: Sends the logs via e-mail with a preconfigured mail relay server.
The configuration for the external logging and the internal logging are the same. The selection of Logging destinations decides the type of logging that is implemented. It is possible to configure Event Classes based on Custom Event lists to the remote server.
2.9 Configure Remote Syslog Server
Syslog servers can be configured to analyze and store logs remotely from the FTD.
Use the following procedure to configure remote Syslog servers.
- Select Device > Platform Setting > Threat Defense Policy > Syslog > Syslog Servers.
- Configure the following settings:
- Allow user traffic to pass when TCP syslog server is down: Select the checkbox to allow traffic to pass through the interface when the Syslog server is down. If a TCP Syslog server has been deployed in the network and it is not reachable, then the network traffic through the ASA is denied. This is applicable only when the transport protocol between the ASA and the Syslog server is TCP.
- Message Queue Size: The message queue size is the number of messages that queues up in the FTD when the remote Syslog server is busy and does not accept any log messages. The default is 512 messages and the minimum is 1 message. If 0 is specified in this option, the queue size is considered to be unlimited.
- Select Add. Configure the following settings:
- IP Address: Choose a network object which has the Syslog servers listed. If you have not created a network object, click the plus (+) icon in order to create a new object using the CCE IP Address.
- Protocol: Click either the TCP or UDP radio button for Syslog communication.
- Port: Enter the Syslog server port number. The CCE expects syslog on port 514.
- Log Messages in Cisco EMBLEM format(UDP only): Select this checkbox if it is required to log messages in the Cisco EMBLEM format. This is applicable for UDP-based Syslog only.
- Available Zones: Enter the security zones over which the Syslog server is reachable and move it to the Selected Zones/Interfaces Column.
- Select OK and Save to save the configuration.
- Click Save to save the platform setting.
To deploy the changes, select Deploy, choose the FTD appliance where you want to apply the changes, and select Deploy.
3. Cisco Firepower FTD NetFlow Configuration
Use the following procedure to configure the Firepower FTD NetFlow.
3.1 Create Access Rule
Create an access rule that defines the traffic you want to monitor.
- Navigate to Objects > FlexConfig > Text Objects.
- Edit the netflow_Destination object.
- Define the following:
- Parameter count: Set to 3.
- Source interface: In this example, the interface name is “DMZ”.
- IP Address: Your CCE IP Address.
- UDP port: The CCE expects netflow on port 9995
3.2 Configure Access Rule
Configure an access rule for the traffic that you want monitored with NSEL.
- Navigate to Objects > Object Management.
- In the left menu under Access List, select Extended.
- Click Add Extended Access List.
- In the Name field, input flow_export_acl. Click the Add button.
You can configure the Access Control entries to match all or specific traffic.
In this example, traffic from host 10.10.10.1 to any destination and traffic between host 172.16.0.20 and 192.168.1.20 is excluded. All other traffic is included.
3.3 Assign Access Rule to Class Map
Assign the newly created access rule to a class-map.
- Navigate to Objects > FlexConfig > FlexConfig Objects.
- Click the Add FlexConfig Object button.
- Define the class map that identifies the traffic that NetFlow events need to be exported for. In this example, the name of the object is flow_export_class.
- Select the Access List created in Step 2.
- Click on Insert > Insert Policy Object > Extended ACL Object and assign a name. Then select Add. In this example, the name of the variable is flow_export_acl.
- Select Save.
- Add the next configuration lines in the blank right-hand field and include the variable previously defined ($flow_export_acl) in the match access-list configuration line.
- Note that a $ symbol is prepended to the variable name. class-map flow_export_class match access-list $flow_export_acl.
- Select Save when finished.
3.4 Assign the Class Map to the Global Policy
Assign your new class-map to your global policy and configure the export destination parameters to set what event types are exported.
This is the first place where you need to make a copy of a FlexConfig object in order to edit in variables.
To configure the NetFlow Destination, use the following procedure:
- Navigate to Objects > FlexConfig > FlexConfig Objects.
- Filter by NetFlow.
- Copy the object Netflow_Add_Destination. The Netflow_Add_Destination_Copy is created.
- Assign the class created in Step 3 to the global policy map.
In this example, the class is inserted in the existing policy (global policy).
3.5 Verify and Assign the FlexConfig Policy
Verify and assign the FlexConfig Policy to the FTD.
- Navigate to Devices > FlexConfig.
- Create a new policy (unless there is already one created for another purpose and assigned to the same FTD).
In this example, the default NetFlow export parameters are used, therefore, the Netflow_Set_Parameters is selected. The set parameters are where you define timeouts.
By default, the timeout variables are set 30 minutes for template timeout, 1 minute for active refresh, and 0-second delay for Create events.
It is recommended to create a copy of this Netflow_Set_Parameter object and set these values:
- 1 minute for template timeout.
- 1 minute for active refresh.
- 15 seconds for delay create event.
Save the changes and deploy. You should now be exporting flows to the collector.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article