Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built platforms or as a software solution.
- Access to Cisco Firepower Management platform.
- Port 11521 TCP/UDP allowed from Cisco Firepower to Forwarder.
Configuring Cisco Firepower syslog
Creating a Syslog Alert Response
- Choose ASA Firepower Configuration > Policies > Actions > Alerts.
- From the Create Alert drop-down menu, choose Create Syslog Alert.
- Enter a Name for the alert.
- In the Host field, enter the hostname or IP address of Forwarder server.
- In the Port field, enter the port number as 11521.
- From the Facility list, choose a facility LOCAL7.
- From the Severity list, choose a severity INFO.
- Click Save.
Configuration for sending the Traffic Events
- Navigate to ASA Firepower Configuration > Policies > Access Control Policy
- Edit the access rule and navigate to logging option.
- Select log at Beginning and End of Connection options.
- Navigate to Send Connection Events to option, select Syslog, and then select a Syslog alert response.
- Click Save.
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.