ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.

Cisco FTD (Firepower Threat Defense) support through parser tweak in Cisco ASA parser

Idea ID 2809536

Cisco FTD (Firepower Threat Defense) support through parser tweak in Cisco ASA parser

Older version of Cisco FTD were having same log format as ASA. So those logs were parsed by 'Syslog Daemon' Connector though ASA parsers. Now after version 6.3 FTD started to change ASA to FTD in the syslog messages. This just stopped parsing of FTD logs in ArcSight. A simple | pipe in ASA parser to have FTD or ASA, should solve this cocern.

7 Comments
Micro Focus Contributor
Micro Focus Contributor
Status changed to: Accepted
 
Ensign
Ensign

Hi,

Could you please elaborate on this, we were getting logs from ASA before now after a firewall upgrade to FTD 6.3 we aren't receiving any events on the 7.15 connector but on the 7.9 version we get "unparsed events".

The agent.log keeps throwing an error of "All timestamp formats are wrong, please check your input" we've tried both legacy and RFC time format setting in FTD.

Is there any work around to this?

Kind Regards,

Gaurav Bhatnagar

Lieutenant Lieutenant
Lieutenant

We're experiencing a similar issue and have an open ticket with support. As SET pointed out, when viewing the raw logs the format is mostly the same, except for switching out ASA with FTD. Enabling EMBLEM format also makes some slight adjustments, but neither format works in our case.

syslog.properties shows all FTD devices being picked up as "cisco_nxos_syslog", but not actually parsing anything. Our connector is on version 7.15.2.8312

Ensign
Ensign

@disposablecat Support just told us that it isn't FTD isn't supported currently and that their engineers are working on making a parser. So I went ahead and created a flex subagent for our syslog connector. Its working on our end and parsing logs correctly. 
I would suggest you do the same.

 

Cadet 1st Class
Cadet 1st Class

Note that since connector v7.13, "unparsed" events are not sent to destinations unless you have set the "generate unparsed event = yes" - the default is "no".

If set to "no", the unparsed events are sent to a log file in the log folder.

 

Didn't realize this is also causing issues for us, we were thinking we have AnyConnect logs from Cisco Firepower 4140 appliance parsed correctly, we assumed the firewall logs from the same appliance model would be parsed too! 

This Idea was accepted last July, anybody got any idea when this will be released? As of now parser 8.0.3.8356.0 does not include this yet. 

Lieutenant Lieutenant
Lieutenant

We were already rolling out FTD devices so we ended up creating a custom flex subagent using the newly unobfuscated ciscopix.subagent parser file as GauravB1 mentioned.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.