Versions Compared

Old Version 11

changes.mady.by.user Sarah Bigault

Saved on

compared with

New Version 12

changes.mady.by.user Sarah Bigault

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Field

Type

Extra fields

eventdate

timestamp

host

str

Severity

int

EventID

int

Group

str

User

str

srcIP

ip

srcPort

int

dstIP

ip

dstPort

int

interface

str

clientType

str

ipv4Address

ip

ipv6Address

str

SessionType

str

Duration

str

BytesXmt

int

BytesRcv

int

Reason

str

svcMessage

str

svcMessageCode

str

Type

str

error

str

message

str

rawMessage

str

hostchain

str

tag

str

raw

str

rawSource

str

How is the data sent to Devo?

Cisco Firewall Configuration

...

Learn more about this process here.

Devo relay rules

You will need to define relay rules that can correctly identify the event type and apply the corresponding tag.

...

These instructions cover all of the event types and the order is important. Even if you are only sending some of the Cisco firewall event types to Devo, be sure to follow the same order.

Devo Relay rules

Rule 1: Cisco Firepower Threat Defense events

  • Source port → 13007

  • Source data → %FTD-

  • Target tag → firewall.cisco.ftd

  • Select the Stop processing and Sent without syslog tag checkboxes

Rule 2: Cisco Firepower Management Central events

  • Source port → 13007 

  • Source data → FMC

  • Target tag → firewall.cisco.fmc

  • Select the Stop processing and Sent without syslog tag checkboxes

Rule 3: Cisco Firewall Services Module events

  • Source port → 13007

  • Source data → %FWSM-

  • Target tag → firewall.cisco.fwsm

  • Select the Stop processing and Sent without syslog tag checkboxes

Rule 4: Cisco PIX events

  • Source port → 13007

  • Source data → %PIX-

  • Target tag → firewall.cisco.pix

  • Select the Stop processing and Sent without syslog tag checkboxes

Rule 5: Cisco ASA VPN events

This rule must precede the Cisco ASA rule. The regex in the Source Data field identifies all event codes associated with the VPN.

  • Source port → 13007

  • Source data →  ASA-[0-9]+-(?:722010|722036|113039|716059|722012|716058|716002|722033|722034|722037|722023|722028|722032|722051|722055|722022|722041)

  • Target tag → vpn.cisco.asa.anyconnect

  • Select the Stop processing and Sent without syslog tag checkboxes

Rule 6: Cisco ASA events

All events received on this port that did not match any of the previous rules will be assigned the firewall.cisco.asa tag.

  • Source port → 13007

  • Target tag → firewall.cisco.asa

  • Select the Stop processing and Sent without syslog tag checkboxes

Firepower through eStreamer eNcore CLI

...