Back to listing

Cisco Firepower extractors

Other Solutions

Graylog extractors for Cisco Firepower logs

mmogilko
free!

Published

27 Oct 06:04

Last Push

04 Nov 06:19

Marketplace Rating

Discussion

8 Comments

Your Rating

Please sign in to rate this add-on.

Comments

jezzadb over 1 year ago

Hi, I managed to create some extractors to get out what I was after. Again, they may be inefficient but I am happy to upload these for people if they would like them.

jezzadb over 1 year ago

Hi, do you by any chance have an extractor for Malware events. I want to extract source ip, destination ip and malware event from firepower. Thanks for you time

bubba198 over 1 year ago

Hi everyone, in my case I get absolutely nothing in Graylog from a FirePOWER Management Center or the sensor. Would the extractor make the difference between getting zero and basically receiving the syslog stream as one would expect? I was hoping to see some input without this extractor, truncated or what not but at least something -- yet I get nada. I, of course will try the extractor. Thanks

cosmonaft67 over 2 years ago

Hi,
Thank you for help.
Yes, i needed extractor for "Access control" events.
Now extractor working!

mmogilko over 2 years ago

UPD:
firepower-access_control-extractor.json - Access Control log
firepower-intrusion-extractor.json - Intrusion events log
firepower-extractor.json - both

mmogilko over 2 years ago

Hi cosmonaft67,
Please try new firepower-access_control-extractor.json

mmogilko over 2 years ago

Hi cosmonaft67,
Yes, I'm using ver.6.0, will update soon :)
However, as I wrote in Readme on Github, it is an extractor for "Intrusion events" log. But you have sent an example of the "Access control" log, if I'm not mistaken.
For me, "Access control" logs currently are not as informative in case of the license suite that we use. But I'll make an extractor tomorrow. Who knows, maybe it will be useful to someone else? :)

cosmonaft67 over 2 years ago

Hi,
Thank you for your work!
You have Firepower ver.6.0?
I have Firepower ver 6.1.0 and extractor don't work.
Help me please create extractor for Firepower ver.6.1.0.
Log events example:
Sourcefire3D SFIMS: Protocol: UDP, SrcIP: 10.0.0.1, OriginalClientIP: ::, DstIP: 8.8.8.8, SrcPort: 55950, DstPort: 53, TCPFlags: 0x0, IngressInterface: lan, EgressInterface: lan, IngressZone: wan, EgressZone: WAN, DE: Primary Detection Engine (f28f7400-7bd8-11e5-b2ee-ba792af6f2e6), Policy: Access Control Policy M11, ConnectType: Start, AccessControlRuleName: Allow all from LAN to WAN, AccessControlRuleAction: Allow, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, Client: DNS, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 84, ResponderBytes: 0, NAPPolicy: WAN, DNSQuery: yandex.ru, DNSRecordType: a host address, DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown, URLReputation: Risk unknown

Please sign in to comment.

Back to listing