Accenture MDR Quick Start Guide for Cisco Firepower Threat Defense (FTD) using Syslog configuration
This quick start guide will help Accenture MDR customers configure Cisco Firepower Threat Defense (FTD) to send logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Cisco FTDÂ | LCP | 514 (UDP) or 601 (TCP) | Default port |
Configuring Cisco FTD
You have to configure the below settings to send the FTD events
To configure Audit Log MessagesÂ
Log in to the Cisco Firepower management center console.
Navigate to Devices > Platform Settings
​Click Audit Log.
Select Enabled from the Send Audit Log to Syslog drop-down menu.
Enter the Syslog IP Address or fully qualified host name of the syslog server in the Host field.
Select Syslog from the Facility drop-down menu.Â
Select INFO from the Severity drop-down menu
Click Save. Â
 To Configure Syslog Alerts:
Navigate to Policies > Actions > Alerts,.
Create a new syslog object for MDR.
Enter the Name for syslog server object.
Enter the LCP IP Address in the Host field.
Enter the Port 514Â in the Port field.
Select Local 4 from the Facility drop-down menu.Â
Select INFO from the Severity drop-down menu.Â
Click Save.
Apply the created object to the rest of the tabs.
Syslog settings for the FTD device:
Navigate to Devices > Platform Settings > FTD Device > Syslog
Under Logging Setup, check the following:
Check the Enable Logging and Enable logging on the failover standby unit
Check the send syslog in EMBLEM format
Check the Send debug messages as syslogs
Set the memory size of the internal buffer.                                 Â
NOTE: MxDR doesn't support Names feature. This feature needs to be kept disabled.Â
To send syslog messages in Emblem format - enable checkbox for "Send syslog in EMBLEM format" to start receiving logs in emblem format.
Cisco Emblem log forwarding will only be supported by UDP. It does not support TCP as per vendor.
Current handling of emblem format is based on versions : versions 7.0.5 and later, and 7.2.x and later. Emblem format for previous versions might change and may not be supported by collector.
Â
3. Under logging destinations, create a new syslog destination by clicking Add or edit the required logging destination from the list.                                Â
 Choose the syslog servers as logging destination from the Logging Destination drop-down.
Choose Filter on Severity from the Event class drop-down and choose debugging as the logging level.
To add the below event classes to this Logging filter, click Add under the Event list tab.
S.NO | Event Class | Description |
1 | IP | IP Stack |
2 | auth | User Authentication |
3 | bridge | Transparent Firewall |
4 | ca | PKI Certification Authority |
5 | config | Command Interface |
6 | ha | Failover |
7 | ids | Intrusion Detection System |
8 | np | Network Processor |
9 | rip | RIP Routing |
10 | rm | Resource Manager |
11 | session | User Session |
12 | snmp | SNMP |
13 | sys | System |
14 | vpdn | PPTP and L2TP Sessions |
15 | vpn | IKE and IPsec |
16 | vpnc | VPN Client |
17 | webvpn | WebVPN and Any Connect Client |
18 | vpnfo | VPN Failover |
Â
Choose the Event Class from above list in the Event Class drop-down list.
 Choose the Syslog severity from the Syslog Severity drop-down list.Â
4. Under Rate Limit tab, select the logging level and enter the Number of messages.
5. Under Syslog Settings tab,
Select the Facility as LOCAL 4 from drop-down menu.
Check Enable timestamp for syslog messages box
Select the Timestamp Format as RFC 5424 (yyyy-MM-ddTHH:mm:ssZ) from drop-down menu.
Check the Enable syslog ID as Host name.
Enable the Syslog ID's as need.
6. Under syslog server tab,
Select the LCP IP address from the drop-down menu.
Choose the protocol as TCP or UDP
Enter the port number as 514/601
Check Device management Interface.
Click OK.                                    Â
 Configuring Syslog Alerting for Access Control
Navigate to Access Control.
Enable the Access policy to send logs to Syslog
Check the box Log at End of Connection
Select Log files as File events .Â
Send the connection events to Syslog server                                     Â
Configuring File Events
Navigate to Policies >> Malware & File and create a file policy.                                Â
Note: Select Log Files in order to enable logging of prohibited files or malware events. File policy must be selected in the rule to configure this option. The option is enabled by default if a file policy is selected for the rule. Cisco recommends to leave this option enabled
 2. Select the Inspection tab and choose already created file policy under MDR drop down menu
3. The log file is automatically highlighted and checked. Log file selection is optional.                 Â
Configuring Syslog Alerting for Intrusion Events
Under the intrusion policy editor's navigation pane, click Advanced Settings.Â
Make sure Syslog Alerting is enabled and click Edit
Note: A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings.                           Â
3. Enter the IP Address of the Logging Hosts where you want to send syslog alerts
Note: If the Logging Hosts field is left blank, the logging hosts details are taken from the Logging tab in the associated Access Control Policy.
4. Choose Facility and Severity levels as described in below.
5. To save the changes, choose Policy Information, then click Commit Changes.
LCP Configuration Parameter
Table 1-2 : The Cisco FTD syslog event collector (Syslog -5003) properties to be configured by MDR are shown in the table
Property | Default Value | Description |
Protocol | UDP | The default protocol for syslog. The collector can also accept logs in TCP. Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture MDR onboarding team. |
IP Address | Cisco FTD Interface IP Address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Signatures | %FTD | MDR recommended signatures processed by the Cisco FTD event collector. |
Port Number | 514 | The default port for UDP. For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement.  |
Â
Â
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.