Cisco FTD logs to Sentinel without estreamer

Question

HI Team,&nbsp;We have an project related to sending Ciscon FTD logs to Sentinel ,&nbsp;When we explore about the possibilities there is an additional functionalities which we need to create and maintain the server which is estreamer eNcore server.&nbsp;Cisco is suggested the below operations guide for sending Cisco FTD logs.&nbsp;https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html&nbsp;is there any aleternate solution available for ingesting Cisco FTD logs using Syslog itself via Sentinel.?&nbsp;Appreciated your responses.&nbsp;Regards,Jagadeesh Gunasekaran

mhenshaw · Answer

Hi There, yes there is! You can simply just setup syslog forwarding on your FTDS and then use the Syslog via AMA connector on the a linux collector to forward the logs to sentinel, I've recently did this for a client as the estreamer wasnt working correctly due to some python updates that happened in august, the only downside to this is that the logs will not be in CEF format meaning you would probably need to create parser or tweak your rules. -https://support.auvik.com/hc/en-us/articles/360048078412-How-to-configure-syslog-on-Cisco-devices-with-Firepower-Management-Center

Forum Discussion

Cisco FTD logs to Sentinel without estreamer

Share

Resources