/
Log Types: Cisco FTD

Log Types: Cisco FTD

Overview

Previously known as Sourcefire 3D, Cisco Firepower is an intrusion detection response system that produces security data. Sourcefire 3d grew from the Snort open source network security tool. The firepower brand seems to be reasonably generic however, and may actually refer to newer cisco firewalls.

Sample Event

<113>2020-02-04T08:45:34Z r7Firepower FP1 %NGIPS-1-430003: EventPriority: Low, DeviceUUID: e8566508-eaa9-11e5-860f-de3e305d8269, InstanceID: 3, FirstPacketSecond: 2020-02-04T08:45:34Z, ConnectionID: 34774, AccessControlRuleAction: <br/>Block with reset, SrcIP: 93.157.158.93, DstIP: 10.1.9.9, SrcPort: 13723, DstPort: 80, Protocol: tcp, IngressInterface: outside, EgressInterface: seversDMZ, ACPolicy: Basic IPS/IDS and GeoIP block foreign contries, AccessControlRuleName: GeoBlock other Countries, Prefilter Policy: Unknown, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

 

Configure Logging on FTD via FMC

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • FirePOWER technology

  • Basic knowledge of Adaptive Security Appliance (ASA)

  • Syslog protocol

 

Components Used

The information in this document is based on these software and hardware versions:

  • ASA Firepower Threat Defense Image for ASA (5506X/5506H-X/5506W-X, ASA 5508-X, ASA 5516-X ) that runs Software Version 6.0.1 and later

  • ASA Firepower Threat Defense Image for ASA (5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X) that runs Software Version 6.0.1 and later

  • Firepower Management Center (FMC) Version 6.0.1 and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a clear (default) configuration.

 

Background Information

The FTD system logs provide you with the information to monitor and troubleshoot the FTD appliance. The logs are useful both in routine troubleshooting and in incident handling. The FTD appliance supports both local and external logging.

Local logging can help you troubleshoot the live issues. External logging is a method of collection of logs from the FTD appliance to an external Syslog server. Logging to a central server, such as Snare Central, helps in aggregation of logs and alerts. External logging can help in log correlation and incident handling.

More details regarding configuration of FTD on this link.

 

Changes to Syslog Messages for Cisco Firepower Threat Defense version 6.3

Timestamp Logging

Beginning with version Firepower Threat Defense 6.3, Firepower Threat Defense provides the option to enable timestamp as per RFC 5424 in eventing syslogs. When this option is enabled, all timestamp of syslog messages would be displaying the time as per RFC 5424 format. Following is a sample output with RFC 5424 format:

<166>2018-06-27T12:17:46Z firepower : %FTD-6-110002: Failed to locate egress interface for protocol from src interface :src IP/src port to dest IP/dest port

Note:

The PRI value, <166> in the above example, is the priority value that represents both Facility and Severity of the alert. Syslog messages in RFC5424 format, typically displays PRI. However, in case of FMC managed FTD, PRI value appears in the syslog messages only when you enable logging in EMBLEM format using FMC platform settings. For information on how to enable the EMBLEM format, see Firepower Management Center Configuration Guide. For information on PRI, see RFC5424.

Note that syslog messages produced by the FTD unit do NOT conform to syslog RFC 5424. In particular:

  • The syslog version header is not included, and a space is not included prior to the date value.

  • A timestamp may not be compatible with RFC5424 requirements.

  • APP-NAME is configurable, and may not meet RFC requirements.

  • PROCID is missing, or set to ":"

  • MSGID is missing, or incorrectly specified.

  • STRUCTURED-DATA is not compatible with RFC5424 defaults.

The Snare Central server/reflector are capable of processing this particular variation of syslog RFC5424, however.

Syslog Prefix Format

The Firepower Threat Defense operating system was using parts of the ASA operating system, including the syslog utility. Therefore, Firepower Threat Defense syslog messages were starting with "%ASA" due to this shared utility. Beginning with release Firepower Threat Defense 6.3, the Firepower Threat Defense syslog messages will be starting with "%FTD"

More details regarding Cisco FTD release updates can be found here.

Syslog Message Severity Level

Level Number

Severity Level

Description

Level Number

Severity Level

Description

0

Emergency

System is unusable.

1

Alert

Immediate action is needed.

2

Critical

Critical conditions.

3

Error

Error conditions.

4

Warning

Warning conditions.

5

Notification

Normal but significant conditions.

6

Information

Informational messages only.

7

Debugging

Debugging messages only.

 

Syslog Message Classes and Associated Message ID Numbers

Logging Class

Definition

Syslog Message ID Numbers

Logging Class

Definition

Syslog Message ID Numbers

auth

User Authentication

109, 113

Access Lists

106

Application Firewall

415

bridge

Transparent Firewall

110, 220

ca

PKI Certification Authority

717

citrix

Citrix Client

723

Clustering

747

Card Management

323

config

Command Interface

111, 112, 208, 308

csd

Secure Desktop

724

cts

Cisco TrustSec

776

dap

Dynamic Access Policies

734

eap, eapoudp

EAP or EAPoUDP for Network Admission Control

333, 334

eigrp

EIGRP Routing

336

email

E-mail Proxy

719

Environment Monitoring

735

ha

Failover

101, 102, 103, 104, 105, 210, 311, 709, 727

Identity-based Firewall

746

ids

Intrusion Detection System

400, 733

IKEv2 Toolkit

750, 751, 752

ip

IP Stack

209, 215, 313, 317, 408

ipaa

IP Address Assignment

735

ips

Intrusion Protection System

400, 401, 420

IPv6

325

Block lists, Allow lists, and Graylists

338

Licensing

444

mdm-proxy

MDM Proxy

802

nac

Network Admission Control

731, 732

nacpolicy

NAC Policy

731

nacsettings

NAC Settings to apply NAC Policy

732

Network Access Point

713

np

Network Processor

319

NP SSL

725

ospf

OSPF Routing

318, 409, 503, 613

Password Encryption

742

Phone Proxy

337

rip

RIP Routing

107, 312

rm

Resource Manager

321

Security events

(Information in this topic does not apply to these events)

430

Smart Call Home

120

session

User Session

106, 108, 201, 202, 204, 302, 303, 304, 305, 314, 405, 406, 407, 500, 502, 607, 608, 609, 616, 620, 703, 710

snmp

SNMP

212

ScanSafe

775

ssl

SSL Stack

725

svc

SSL VPN Client

722

sys

System

199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615,701, 711, 741

Threat Detection

733

tre

Transactional Rule Engine

780

UC-IME

339

tag-switching

Service Tag Switching

779

vm

VLAN Mapping

730

vpdn

PPTP and L2TP Sessions

213, 403, 603

vpn

IKE and IPsec

316, 320, 402, 404, 501, 602, 702, 714, 715

vpnc

VPN Client

611

vpnfo

VPN Failover

720

vpnlb

VPN Load Balancing

718

VXLAN

778

webfo

WebVPN Failover

721

webvpn

WebVPN and AnyConnect Client

716

NAT and PAT

305

 

Main fields for all Cisco FTD log types

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

CiscoFTDLog<type>

CRITICALITY

 

EVENTID

6-7 digit value, with a valid value range is between 100000 to 8300006.

SEVERITY

Syslog message severity level

Notes

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html