firewall.cisco

The tags beginning with firewall.cisco identify log events generated by the following Cisco technologies:

Cisco ASA
Cisco ASA VPN
Cisco Firepower Threat Defense
Cisco Firepower Management Central
Cisco PIX
Cisco Firewall Services Module

Firewall Cisco together with Firepower and VPN

Tag structure

The full firewall.cisco tags have just three levels. The first two are fixed as firewall.cisco. The third level identifies the technology type.

Therefore, the valid tags include:

Product / Service	Tags	Data tables
Cisco Adaptive Security Appliance (ASA) Software	`firewall.cisco.asa`	`firewall.cisco.asa`
Cisco Secure Firewall Management Center (FMC)	`firewall.cisco.fmc`	`firewall.cisco.fmc`
	`firewall.cisco.fmc_audit`	`firewall.cisco.fmc_audit`
	`firewall.cisco.fmc_other`	`firewall.cisco.fmc_other`
	`firewall.cisco.fmc_system`	`firewall.cisco.fmc_system`
Cisco FMC eStreamer	`firewall.cisco.fmc_estreamer`	`firewall.cisco.fmc_estreamer`
	`firewall.cisco.fmc_estreamer.connection`	`firewall.cisco.fmc_estreamer.connection`
	`firewall.cisco.fmc_estreamer.correlation`	`firewall.cisco.fmc_estreamer.correlation`
	`firewall.cisco.fmc_estreamer.event`	`firewall.cisco.fmc_estreamer.event`
	`firewall.cisco.fmc_estreamer.file_malware`	`firewall.cisco.fmc_estreamer.file_malware`
	`firewall.cisco.fmc_estreamer.intrusion`	`firewall.cisco.fmc_estreamer.intrusion`
	`firewall.cisco.fmc_estreamer.metadata`	`firewall.cisco.fmc_estreamer.metadata`
	`firewall.cisco.fmc_estreamer.packet`	`firewall.cisco.fmc_estreamer.packet`
	`firewall.cisco.fmc_estreamer.rna`	`firewall.cisco.fmc_estreamer.rna`
	`firewall.cisco.fmc_estreamer.rua`	`firewall.cisco.fmc_estreamer.rua`
Cisco Firepower Threat Defense (FTD)	`firewall.cisco.ftd`	`firewall.cisco.ftd`
Cisco Firewall Services Module (FWSM)	`firewall.cisco.fwsm`	`firewall.cisco.fwsm`
Cisco PIX (Private Internet eXchange)	`firewall.cisco.pix`	`firewall.cisco.pix`
Cisco SFIMS	`firewall.cisco.sfims`	`firewall.cisco.sfims`

For more information, read more about Devo tags.

Cisco Firewall Configuration

The Cisco firewall can be configured to report its logs to a remote syslog server, in this case, the Devo relay. To configure this using Cisco's Adaptive Security Device Manager (ASDM), follow the vendor instructions.

In order to get all your events in your Devo domain, you must add the hostname to your syslog events by executing the following command:

ciscoasa(config)# logging device-id hostname

Learn more about this process here.

Devo relay rules

You will need to define relay rules that can correctly identify the event type and apply the corresponding tag.

We'll use mostly type-2 relay rules that apply a fixed tag based upon specific data contained in the inbound event and all rules are defined on the same port. In this example, we're using port 13007, but you can use any free port on your relay. The last rule is a type-1 rule and applies the firewall.cisco.asa tag to any event that didn't match the previous rules.

These instructions cover all of the event types and the order is important. Even if you are only sending some of the Cisco firewall event types to Devo, be sure to follow the same order.

Rule 1: Cisco Firepower Threat Defense events

Source port → Any free port (Eg. 13007)
Source data → %FTD-
Target tag → firewall.cisco.ftd
Select the Stop processing and Sent without syslog tag checkboxes

Rule 2: Cisco Firepower Management Central events

Source port → Any free port (Eg. 13007)
Source data → FMC
Target tag → firewall.cisco.fmc
Select the Stop processing and Sent without syslog tag checkboxes

Rule 3: Cisco Firewall Services Module events

Source port → Any free port (Eg. 13007)
Source data → %FWSM-
Target tag → firewall.cisco.fwsm
Select the Stop processing and Sent without syslog tag checkboxes

Rule 4: Cisco PIX events

Source port → Any free port (Eg. 13007)
Source data → %PIX-
Target tag → firewall.cisco.pix
Select the Stop processing and Sent without syslog tag checkboxes

Rule 5: Cisco ASA VPN events

This rule must precede the Cisco ASA rule. The regex in the Source Data field identifies all event codes associated with the VPN.

Source port → Any free port (Eg. 13007)
Source data → ASA-[0-9]+-(?:722010|722036|113039|716059|722012|716058|716002|722033|722034|722037|722023|722028|722032|722051|722055|722022|722041)
Target tag → vpn.cisco.asa.anyconnect
Select the Stop processing and Sent without syslog tag checkboxes

Rule 6: Cisco ASA events

All events received on this port that did not match any of the previous rules will be assigned the firewall.cisco.asa tag.

Source port → Any free port (Eg. 13007)
Target tag → firewall.cisco.asa
Select the Stop processing and Sent without syslog tag checkboxes

Firepower through eStreamer eNcore CLI

Tag structure

This technology uses a single tag to support all the Firepower Management Center events. The tag is simply firewall.cisco.fmc_estreamer and the associated events are saved in Devo in a table of the same name.

For more information, read more about Devo tags.

eStreamer eNcore CLI Configuration

The eStreamer eNcore CLI can be configured to report its logs to a remote syslog server, in this case, the Devo relay. Note that you must select JSON as the output.

To configure it, follow the vendor instructions.

Devo relay rule

You will need to define a relay rule that can correctly identify these events and apply the corresponding tag.

We'll use a rule that applies a fixed tag based upon this data arriving at a defined port, in this case, 13011, but you can use any free port on your relay.

Source port → Any free port (Eg. 13011)
Target tag → firewall.cisco.fmc_estreamer
Select the Stop processing checkbox

Table structure

These are the fields displayed in these tables: