Cisco Firepower Logs

Ship logs from Cisco Firepower to Logstash

Filebeat is a lightweight shipper that enables you to send your Cisco Firepower logs to Logstash and Elasticsearch. Configure Filebeat using the pre-defined examples below to start sending and analysing your Firepower logs.

Install Integration

Please click on the Install Integration button to configure your stack for this source.

Install Filebeat

To get started you will need to install filebeat. To do this you have two main options:

To successfully install filebeat and set up the required Windows service you will need to have administrator access.

If you have chosen to download the zip file:

  • Extract the contents of the zip file into C:\Program Files.
  • Rename the extracted folder to filebeat
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  • From the PowerShell prompt, run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'
.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here (opens in a new tab).

If you have chosen to download the filebeat.msi file:

  • double-click on it and the relevant files will be downloaded.

At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.

  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  • From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:
.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here (opens in a new tab).

Locate the configuration file

/etc/filebeat/filebeat.yml 

Configure Filebeat.yml

The configuration file below is pre-configured to send data to your Logit.io Stack.

Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at /etc/filebeat/filebeat.yml

# ============================== Filebeat inputs ===============================
filebeat.inputs:
 
- type: udp
    max_message_size: 10MiB
    host: "0.0.0.0:514"
    enabled: true
 
    fields:
        type: ciscofirepower
    fields_under_root: true
    encoding: utf-8
    ignore_older: 12h
 
# ================================== Outputs ===================================
output.logstash:
    hosts: ["@logstash.host:@logstash.sslPort"]
    loadbalance: true
    ssl.enabled: true

If you're running Filebeat 7, add this code block to the end. Otherwise, you can leave it out.

# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat

If you're running Filebeat 6, add this code block to the end.

# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry

It's a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com (opens in a new tab) is a great choice.

Validate Configuration

In the directory where Filebeat is installed, run the following command to validate the installation:
.\@beatname.exe test config -c @beatname.yml

If the yml file is invalid, @beatname will print a description of the error. For example, if the output.logstash section was missing, @beatname would print no outputs are defined, please define one under the output section

Configure Firepower Syslog server

You can now go ahead and configure your Cisco Firepower Firewall to write all logs to the configured agent address (syslog endpoint) you have configured.

View more details (opens in a new tab) on how to configure Cisco Firepower Syslog.

How to diagnose no data in Stack

If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.

Check Logit.io for your logs

Data should now have been sent to your Stack.

View My Data

If you don't see take a look at How to diagnose no data in Stack below for how to diagnose common issues.

Cisco Firepower Firewall Logging Overview

Cisco Firepower Firewall is a robust network security solution that provides advanced threat protection and intrusion prevention capabilities for organizations. To effectively monitor and analyze network activity and security events, it is crucial to have a reliable and efficient log management solution in place.

Cisco Firepower Firewall generates various types of logs that capture information about network traffic, security events, and potential threats. These logs contain valuable insights into network behavior, user activity, and malicious activities.

To manage Cisco Firepower Firewall logs effectively, organizations can use tools like Filebeat, an open-source log shipper, to send logs to various destinations for analysis. Filebeat can be configured to monitor the Cisco Firepower Firewall logs directory and forward new log entries to systems like OpenSearch, Logstash, or other SIEM solutions.

By leveraging the capabilities of Filebeat and other log management tools, organizations can gain real-time insights into network security incidents, potential breaches, and unauthorized access attempts. This helps security teams respond promptly and effectively to threats, ensuring the integrity and security of their network infrastructure.

In summary, utilizing a log management solution like Filebeat to collect and analyze Cisco Firepower Firewall logs enables organizations to enhance their network security posture. With the ability to monitor network activity and detect potential threats, organizations can maintain a proactive approach to security and safeguard their systems against various cyber threats.