Cisco FTD Intrusion events logs are not parsed properly?

It seems that some intrusion events from Cisco FTD is not parse.
Filebeat version:

7.4.0 (amd64), libbeat 7.4.0 [f940c36884d3749901a9c99bea5463a6030cdd9c built 2019-09-27 07:45:44 +0000 UTC]

For example, this is a parsed result doc from Cisco FTD syslog

{
"_index": "filebeat-7.4.0-2019.10.03-000001",
"_type": "_doc",
"_id": "tPC-q20BrXuWs4jtIAng",
"_version": 1,
"_score": null,
"_source": {
"agent": {
"hostname": "KGP",
"id": "aa465eae-a36e-4668-925f-4460ca76fff6",
"type": "filebeat",
"ephemeral_id": "6b0b39c2-e98d-488d-9fd2-c0d73cf1357c",
"version": "7.4.0"
},
"process": {
"name": "FTDFileBeatCisco"
},
"log": {
"level": "debug",
"source": {
"address": "192.168.56.11:40359"
}
},
"syslog": {
"facility": 42
},
"fileset": {
"name": "ftd"
},
"tags": [
"cisco-ftd"
],
"input": {
"type": "udp"
},
"@timestamp": "2019-10-08T07:20:26.000-07:00",
"ecs": {
"version": "1.1.0"
},
"service": {
"type": "cisco"
},
"host": {
"hostname": "fmc",
"os": {
"kernel": "3.10.0-957.10.1.el7.x86_64",
"codename": "Core",
"name": "CentOS Linux",
"family": "redhat",
"version": "7 (Core)",
"platform": "centos"
},
"containerized": false,
"name": "KGP",
"id": "75b60ddb7dfa4a9bac66a69255e9230a",
"architecture": "x86_64"
},
"event": {
"severity": 7,
"original": "[1:23111:11] "POLICY-OTHER PHP uri tag injection attempt" [Impact: Unknown] From "MAIN-HE" at Tue Oct 8 14:20:25 2019 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 192.168.202.83:57039 (unknown)->192.168.66.15:80 (unknown)",
"timezone": "-07:00",
"module": "cisco",
"dataset": "cisco.ftd"
},
"cisco": {
"ftd": {
"security": {}
}
}
},
"fields": {
"@timestamp": [
"2019-10-08T14:20:26.000Z"
]
},
"sort": [
1570544426000
]
}

The source ip and destination ip are not in the parsed results?
There are no cisco.ftd.* fields for this event, especially for the intrusion events that are listed in Cisco FMC dashboard. I did see cisco.ftd.* fields for other events from the same ftd syslog though.

These issues mentioned might be related:


The provided log message:

POLICY-OTHER PHP uri tag injection attempt" [Impact: Unknown] From "MAIN-HE" at Tue Oct 8 14:20:25 2019 UTC [Classification: Web Application Attack] [Priority: 1] {tcp} 192.168.202.83:57039 (unknown)->192.168.66.15:80 (unknown)

Does not match the FTD syslog messages documented here.

I think this a message from the FMC itself, which we don't support. But if you can point us at where in the FMC configuration do you enable this kind of messages we can create an improvement issue to add this kind of messages in a future version.

Here is the the instruction: Configuring Syslog Alerting for Intrusion Events
that I followed.

.i.e, clicking through: Policy -> Access Control -> Intrusion -> Choose a Policy -> Advanced Settings -> Syslog Alerting.

I see. So those are FMC logs which are not parsed by the cisco/ftd fileset. Feel free to open an Enhancement request.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.