Cisco FTD#

Integration Details

Ingester

Simple Relay

Kit

Cisco FTD Kit

Cisco FTD Configuration#

Configure log forwarding as described in Cisco FTD documentation.

Things to note as you follow the logging setup:

  • Enable EMBLEM format

  • Set IP address and port

Warning

If using TCP for syslog, you probably want to check the Allow user traffic to pass when TCP syslog server is down check box. Otherwise, if the FTD is unable to connect to the Gravwell ingester, it will block all new connections.

Gravwell Configuration#

Gravwell Storage Well Configuration#

Setup the well configuration in your Gravwell indexers.

Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/cisco-ftd-well.conf

[Storage-Well "ciscoftd"]
    Location=/opt/gravwell/storage/cisco-ftd
    Tags=cisco-ftd*

Gravwell Ingester Configuration: Simple Relay#

Sample Cisco FTD config:
Create or edit: /opt/gravwell/etc/simple_relay/cisco-ftd.conf

[Listener "syslogtcp_cisco_ftd"]
    Bind-String="tcp://0.0.0.0:6901"
    Reader-Type=rfc5424
    Tag-Name=cisco-ftd-events
    Assume-Local-Timezone=true
    Preprocessor="Cisco FTD 43000X Router"
    Preprocessor="Cisco FTD Class Router"

# Route 43000X security-event syslogs 
[preprocessor "Cisco FTD 43000X Router"]
    Type=regexrouter
    Drop-Misses=false
    Regex=`%FTD-[0-7]-(?P<msgid>43000[0-9]):`
    Route-Extraction=msgid
    Route=430001:cisco-ftd-intrusion
    Route=430002:cisco-ftd-connection
    Route=430003:cisco-ftd-connection
    Route=430004:cisco-ftd-file
    Route=430005:cisco-ftd-malware

# Route non-43000X messages by 3-digit class prefix
[preprocessor "Cisco FTD Class Router"]
    Type=regexrouter
    Drop-Misses=false
    # Match any FTD message id EXCEPT 43000X (handled above).
    Regex=`%FTD-[0-7]-(?P<class>(?!43000)\d{3})\d{3}:`
    Route-Extraction=class

    # auth
    Route=109:cisco-ftd-auth
    Route=113:cisco-ftd-auth

    # config
    Route=111:cisco-ftd-config
    Route=112:cisco-ftd-config
    Route=208:cisco-ftd-config
    Route=308:cisco-ftd-config

    # vpn
    Route=213:cisco-ftd-vpn
    Route=316:cisco-ftd-vpn
    Route=320:cisco-ftd-vpn
    Route=402:cisco-ftd-vpn
    Route=403:cisco-ftd-vpn
    Route=404:cisco-ftd-vpn
    Route=501:cisco-ftd-vpn
    Route=602:cisco-ftd-vpn
    Route=603:cisco-ftd-vpn
    Route=611:cisco-ftd-vpn
    Route=702:cisco-ftd-vpn
    Route=713:cisco-ftd-vpn
    Route=714:cisco-ftd-vpn
    Route=715:cisco-ftd-vpn
    Route=716:cisco-ftd-vpn
    Route=718:cisco-ftd-vpn
    Route=720:cisco-ftd-vpn
    Route=722:cisco-ftd-vpn

    # traffic
    Route=106:cisco-ftd-traffic
    Route=108:cisco-ftd-traffic
    Route=201:cisco-ftd-traffic
    Route=202:cisco-ftd-traffic
    Route=204:cisco-ftd-traffic
    Route=302:cisco-ftd-traffic
    Route=303:cisco-ftd-traffic
    Route=304:cisco-ftd-traffic
    Route=305:cisco-ftd-traffic
    Route=314:cisco-ftd-traffic
    Route=405:cisco-ftd-traffic
    Route=406:cisco-ftd-traffic
    Route=407:cisco-ftd-traffic
    Route=500:cisco-ftd-traffic
    Route=502:cisco-ftd-traffic
    Route=607:cisco-ftd-traffic
    Route=608:cisco-ftd-traffic
    Route=609:cisco-ftd-traffic
    Route=616:cisco-ftd-traffic
    Route=620:cisco-ftd-traffic
    Route=703:cisco-ftd-traffic
    Route=710:cisco-ftd-traffic

    # threat
    Route=400:cisco-ftd-threat
    Route=401:cisco-ftd-threat
    Route=420:cisco-ftd-threat
    Route=733:cisco-ftd-threat

    # system
    Route=101:cisco-ftd-system
    Route=102:cisco-ftd-system
    Route=103:cisco-ftd-system
    Route=104:cisco-ftd-system
    Route=105:cisco-ftd-system
    Route=199:cisco-ftd-system
    Route=210:cisco-ftd-system
    Route=211:cisco-ftd-system
    Route=214:cisco-ftd-system
    Route=216:cisco-ftd-system
    Route=306:cisco-ftd-system
    Route=307:cisco-ftd-system
    Route=311:cisco-ftd-system
    Route=315:cisco-ftd-system
    Route=414:cisco-ftd-system
    Route=604:cisco-ftd-system
    Route=605:cisco-ftd-system
    Route=606:cisco-ftd-system
    Route=610:cisco-ftd-system
    Route=612:cisco-ftd-system
    Route=614:cisco-ftd-system
    Route=615:cisco-ftd-system
    Route=701:cisco-ftd-system
    Route=709:cisco-ftd-system
    Route=711:cisco-ftd-system
    Route=741:cisco-ftd-system

Note

Remember to restart the service to apply the new config: sudo systemctl restart gravwell_simple_relay.service