Syslog - Cisco Firepower

Device Details

Device Name	Cisco Firepower
Vendor	Cisco
Device Type	Cisco Firepower
Supported Model Name/Number	N/A
Supported Software Version	N/A
Collection Method	Syslog
Configurable Log Output	No
Log Source Type	Syslog - Cisco Firepower
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	N/A

Supported Log Messages

(List of LR tags used to parse the log information for each message type)

Type	Product Version	Supported Schema Fields
Access Control Messages	N/A	<severity>, <vmid>, <action>, <sip>, <dip>, <sport>, <dport>, <protname>, <policy>, <objectname>, <seconds>, <useragent>, <version>, <packetsout>, <packetsin>, <bytesout>, <bytesin>, <responsecode>, <objecttype>, <url>
Blacklisted DNS Request Messages	N/A	<severity>, <vmid>, <action>, <sip>, <dip>, <sport>, <dport>, <protname>, <policy>, <objectname>, <seconds>, <useragent>, <version>, <packetsout>, <packetsin>, <bytesout>, <bytesin>, <responsecode>, <objecttype>, <url>
Catch All : Level 1 1	N/A	<tag1>, <severity>
Catch All : Level 4 : Signature Detection	N/A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <object>, <objectname>, <subject>, <threatname>, <sender>, <tag1>
Deny IP Spoof	N/A	<severity>, <vendorinfo>, <subject>, <sip>, <dip>, <sinterface>
DNS Query Message	N/A	<severity>, <sip>, <dip>, <sport>, <dport>, <protname>, <subject>, <objecttype>, <reason>, <account>, <sessiontype>, <policy>, <status>, <tag1>
Duplicate TCP SYN	N/A	<severity>, <vendorinfo>, <subject>, <dip>, <dport>, <sip>, <sport>, <sinterface>,
EPCL IPS Policy	N/A	<severity>, <sip>, <dip>, <sname>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <session>, <sessiontype>, <object>, <objectname>, <subject>, <version>, <url>, <policy>, <action>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <amount>, <quantity>
EVID 430001: Intrusion Event	N/A	<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dip>, <dname>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <process>, <object>, <subject>, <serialnumber>, <useragent>, <policy>, <group>, <command>, <action>, <result>, <responsecode>
EVID 430002/430003: Connection event	N/A	<severity>, <vmid>, <action>, <objecttype>, <sip>, <dip>, <sport>, <dport>, <protname>, <sinterface>, <dinterface>, <policy>, <reason>, <login>, <useragent>, <quantity>, <itemsout>, <itemsin>, <bytesout>, <bytesin>, <url>
EVID 430002/430003: Connection Event Messages	N/A	<severity>, <vmid>, <tag1>, <sip>, <dip>, <sport>, <dport>, <protname>, <sinterface>, <dinterface>, <policy>, <subject>, <login>, <useragent>, <objectname>, <object>, <duration>, <itemsout>, <itemsin>, <bytesout>, <bytesin>, <objecttype>, <url>
EVID 430005: File Malware Event	N/A	<severity>, <vmid>, <sip>, <dip>, <sport>, <dport>, <protname>, <action>, <hash>, <subject>, <threatname>, <objectname>, <objecttype>, <size>, <command>, <login>, <policy>, <url>
EVID 733100: Object Exceeded Threshold Rate	N/A	<severity>, <vmid>, <threatname>, <subject>, <reason>
EVID 771002: System Clock Set	N/A	<severity>, <vmid>, <action>, <object>, <sip>
Firepower : User System Msg	N/A	<severity>, <vendorinfo>, <processid>, <threatid>, <sip>, <sport>, <result>, <protname>, <dport>
Firepower Authpriv System Msg	N/A	<sip>, <severity>, <vendorinfo>, <login>, <result>, <dip>, <process>, <processid>, <action>
Firepower Debug Mesage	N/A	<severity>, <dname>, <sname>, <login>, <domainorigin>, <action>, <tag1>, <result>
Firepower Error Messages V6.4.0.4	N/A	<severity>, <vmid>, <subject>, <dip>, <dport>, <sip>, <sport>, <reason>, <sinterface>, <process>, <processid>, <quantity>
Firepower Informational Message	N/A	<vendorinfo>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <domainorigin>, <object>, <objectname>, <subject>, <threatname>, <url>, <useragent>, <policy>, <command>, <action>, <reason>, <sender>, <recipient>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <tag1>
Firepower Local System Msg	N/A	<sip>, <severity>, <vendorinfo>, <result>, <protname>, <process>, <processid>
Firepower Malware Events	N/A	<severity>, <dname>, <vendorinfo>, <hash>, <objecttype>, <threatname>, <sip>, <dip>
Firepower Vulnerability Signatures	N/A	<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <object>, <objectname>, <subject>, <threatname>, <version>, <group>, <result>, <tag1>
Firepower Warning Message	N/A	<severity>, <dname>, <process>, <object>, <subject>, <sname>, <objecttype>, <protname>, <sip>, <sport>, <dip>, <dport>
Matching Connection For ICMP	N/A	<severity>, <vendorinfo>, <subject>, <dip>, <dport>, <sip>, <sport>, <object>, <sinterface>, <dinterface>, <protname>, <responsecode>, <snatip>, <dnatip>
Object Drop	N/A	<severity>, <vendorinfo>, <action>, <subject>, <rate>, <amount>, <size>
Process Information	N/A	<severity>, <process>, <login>, <sip>, <action>, <url>, <status>, <vmid>, <object>, <policy>
Recieved ARP	N/A	<severity>, <vendorinfo>, <sip>, <dip>, <command>, <smac>, <dmac>, <sinterface>,
SFIMS : Catch All Level 1	N/A	<process>, <subject>, <object>, <dname>, <objectname>, <severity>, <protname>, <sip>, <sport>, <dip>, <dport>
SFIMS Apache Struts Server Messages	N/A	<severity>, <sip>, <dip>, <dname>, <sport>, <dport>, <protname>, <object>, <objectname>, <subject>, <threatname>
SFIMS General Messages	N/A	<dip>, <dport>, <dmac>, <protname>, <objecttype>, <subject>, <hash>, <command>, <sender>, <recipient>, <amount>, <tag1>, <tag2>
Translation Creation Failed	N/A	<severity>, <vendorinfo>, <sip>, <dip>, <protname>, <responsecode>, <sinterface>, <dinterface>, <status>, <object>

Revision History

KB Version	Log Type	Change Type	Details
KB 7.1.620.0	Syslog - Cisco Firepower	Device Documentation	N/A