Hi!
Been struggling with the normalization of Cisco Firepower logs, were I expect better normalization and a better enrichment. The syslog is configured from the Firepower Management Center.
Everything should be correct in LogPoint were we’ve put in all the normalization policys for the log source.
Compiled Normalizer:
- Cisco FirepowerNormalizer
- CiscoPIXASACompiledNormalizer
Normalization Packages:
- LP_Cisco Firepower
- LP_Cisco Fiirepower Management Center
- LP_Cisco Fiirepower Management Center v6_2
- LP_Cisco PIX/ASA Generic
- LP_Cisco PIXASA
Is there any problem with the format syslog? Had the same issue with CheckPoint FW, but this got solved when we changed the format to CEF. Only the problem that Cisco Firepower only support the format syslog.
Is there someone that has any tips on how to move on forward with this?
Share This Post:
I have seen Firepower logs work fine in Logpoint, but it was last a couple of years ago. We would probably need to see what actually happens, e.g. a screenshot or copy/paste of your raw logs. When you say “better” normalisation, what do you see vs. what did you expect? Enrichment is independent of the data source, so again it would be a question of what are you getting vs. what did you expect?
Because it might be sensitive data, this might also best be done through a Support ticket.
Hi Nils
Thanks for your reply. I understand. I expect a more detailed view of each log, I have to go back to the FW that’s sending the logs.
Thanks for the information.
Please sign in to leave a comment.
2 comments