cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
lukel
Level 8
Report Inappropriate Content
Message 1 of 2

Cisco Firepower Syslog Parsing

For those with Cisco Firepower firewalls, how are you parsing the data?  We are receiving the logs via Syslog, but there are only 10 syslog parsers built in to the ESM (all of which are basically useless).  We are considering switching to the eStreamer, but we have heard that IPS events don't come through.

We have been pretty disappointed with the Firepower support so far.  There were 1000+ parsers for ASA events, and there appears to be next-to-none support for Cisco's new(ish) flagship firewalls.

Labels (3)
1 Reply
Leath
Level 7
Report Inappropriate Content
Message 2 of 2

Re: Cisco Firepower Syslog Parsing

Welcome to ESM the SIEM "supports" Data Sources in the supported list but may not really. 
We use eStreamer and Syslog and get quiet a bit info out. 

You can also create correlation rules on Firepower which SIEM parses correctly. 
Basically each SFR module should send Syslog to ERC, and the FMS should use eStreamer and Syslog. 

Goodluck! 

Tags (1)
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.