Graylog GROK extractors for Cisco Firepower
Graylog GROK extractors for Cisco Firepower Intrusion events and Access Control log (simple syslog, not estreamer)
firepower-access_control-extractor.json - Access Control log
firepower-intrusion-extractor.json - Intrusion events log
firepower-extractor.json - both Intrusion events and Access Control logs
- Go to System => Inputs
- Choose your Input and select Manage extractors
- Actions => Import extractors
- Paste a body of the extractor into a form.
It is important that all your sensors and sources send in source addresses in the field with the same name. The standard src_addr naming scheme is used in this example. If source addresses are being sent with differing names, analysis will become quite painful. Please edit this extractor to change field names if needed.