Configure Cisco Secure Firewall Threat Defense Collection

Collecting Cisco Secure Firewall Threat Defense logs enables Alert Logic to run our common firewall analytics on data from your Cisco Secure Firewall Threat Defense devices. These analytics identify suspicious communication with internet hosts which Alert Logic considers threat actors. Significant security findings from your Cisco Secure Firewall Threat Defense devices will result in the creation of incidents that can be managed in the Alert Logic console.

Cisco Secure Firewall Threat Defense was formerly called Cisco Firepower.

You must complete the following to send data from your Cisco Secure Firewall Threat Defense device(s) to Alert Logic:

  1. Download and install the remote collector
  2. Configure Cisco Secure Firewall Threat Defense device
  3. Verify log collection

Download and install the remote collector

To send data from your Cisco Secure Firewall Threat Defense device(s) to Alert Logic, you must first download and install the remote collector in the same network as the Cisco Secure Firewall Threat Defense device(s).

To download and install the remote collector:

  1. Review the requirements for the remote collector as outlined in Requirements for the Alert Logic Remote Collector and ensure all requirements are met.
  2. Complete the following instructions for Linux or Windows, making sure to choose a host in the same network as the Cisco Secure Firewall Threat Defense device(s).
  3. While installing the remote collector, note the IP of the host where the collector is installed. This IP will be needed when configuring the Cisco Secure Firewall Threat Defense device.

Configure Cisco Secure Firewall Threat Defense device

Once the remote collector is installed, the Cisco Secure Firewall Threat Defense device needs to be configured to send data to the collector. This process requires three key steps - creating a server profile, creating a log forwarding profile, and applying the log forwarding profile.

For setups using Device Manager:

  1. In the Cisco Secure Firewall Threat Defense Device Manager, navigate to System Settings > Logging Settings.
  2. Make sure Data Logging is enabled, and the Severity level is set to Information.
  3. Click the gray plus (+) button to add a syslog server.
  4. Enter the IP address of your remote collector, choose the protocol you prefer, and enter 1515 as the port.
  5. Choose the interface that can reach the remote collector.
  6. Click OK.
  7. Select the new syslog server, and then click OK.
  8. Click Save at the bottom of the screen.
  9. Navigate to Policies.
  10. Find the access policies you want to log. Under Actions, click Edit.
  11. Click the Logging tab.
  12. Select the Log at Beginning and End of Connection checkbox.
  13. Under Send Connection Events to, select the syslog server you configured.
  14. Click OK.
  15. Deploy the new configuration from the Pending Changes button.

For setups using Cisco Secure Firewall Threat Defense Management Console:

  1. In the Cisco Secure Firewall Threat Defense Management Console, navigate to Policies > Actions > Alerts.
  2. Click Create Alert to open a drop-down menu, and then select Create Syslog Alert.
  3. In the Name box, enter any name for the alert.
  4. In the Host box, enter the hostname or IP address of remote collector.
  5. In the Port box, enter 1515.
  6. In the Facility box, enter LOCAL7.
  7. In the Severity box, enter INFO.
  8. Click Save.
  9. Navigate to Policies > Access Control Policy.
  10. For the access rules you want to log, navigate to the Logging tab.
  11. Select the Log at Beginning of Connection and Log at End of Connection checkboxes.
  12. Under Send Connection Events to, select the Syslog checkbox, and then select the syslog alert you created above.
  13. Click Save.
We recommend sending Cisco logs in the EMBLEM format. Configurations vary between Cisco products and versions, so consult Cisco's latest documentation for configuration guidance.

Verify log collection

Once you have installed the remote collector and configured the Cisco Secure Firewall Threat Defense device, it is recommended to verify that log collection is successful. It may take up to 15 minutes for Alert Logic to begin receiving logs.

  1. Log in to the Alert Logic console and use the following link to access the Search console with criteria already entered:
  2. Uncomment either of the two commented lines with SQL parameters and replace either $COLLECTOR_ID or $COLLECTOR_IP with your preferred identifier for the remote collector.
  3. Click Search.
  4. Verify logs display for the remote collector.