Device Details

Device NameCisco Firepower
Device TypeCisco Firepower
Supported Model Name/NumberN/A
Supported Software VersionN/A
Collection MethodSyslog
Configurable Log OutputNo
Log Source TypeSyslog - Cisco Firepower
Log Processing PolicyLogRhythm Default
Additional InformationN/A

Supported Log Messages

(List of LR tags used to parse the log information for each message type)

TypeProduct VersionSupported Schema Fields
Access Control MessagesN/A<severity>, <vmid>, <action>, <sip>, <dip>, <sport>, <dport>, <protname>, <policy>, <objectname>, <seconds>, <useragent>, <version>, <packetsout>, <packetsin>, <bytesout>, <bytesin>, <responsecode>, <objecttype>, <url>
Blacklisted DNS Request MessagesN/A<severity>, <vmid>, <action>, <sip>, <dip>, <sport>, <dport>, <protname>, <policy>, <objectname>, <seconds>, <useragent>, <version>, <packetsout>, <packetsin>, <bytesout>, <bytesin>, <responsecode>, <objecttype>, <url>
Catch All : Level 1 1N/A<tag1>, <severity>
Catch All : Level 4 : Signature DetectionN/A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <object>, <objectname>, <subject>, <threatname>, <sender>, <tag1>
Deny IP SpoofN/A<severity>, <vendorinfo>, <subject>, <sip>, <dip>, <sinterface>
DNS Query MessageN/A<severity>, <sip>, <dip>, <sport>, <dport>, <protname>, <subject>, <objecttype>, <reason>, <account>, <sessiontype>, <policy>, <status>, <tag1>
Duplicate TCP SYNN/A<severity>, <vendorinfo>, <subject>, <dip>, <dport>, <sip>, <sport>, <sinterface>,
EPCL IPS PolicyN/A<severity>, <sip>, <dip>, <sname>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <session>, <sessiontype>, <object>, <objectname>, <subject>, <version>, <url>, <policy>, <action>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <amount>, <quantity>
EVID 430001: Intrusion EventN/A<vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dip>, <dname>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <process>, <object>, <subject>, <serialnumber>, <useragent>, <policy>, <group>, <command>, <action>, <result>, <responsecode>
EVID 430002/430003: Connection eventN/A<severity>, <vmid>, <action>, <objecttype>, <sip>, <dip>, <sport>, <dport>, <protname>, <sinterface>, <dinterface>, <policy>, <reason>, <login>, <useragent>, <quantity>, <itemsout>, <itemsin>, <bytesout>, <bytesin>, <url>
EVID 430002/430003: Connection Event MessagesN/A<severity>, <vmid>, <tag1>, <sip>, <dip>, <sport>, <dport>, <protname>, <sinterface>, <dinterface>, <policy>, <subject>, <login>, <useragent>, <objectname>, <object>, <duration>, <itemsout>, <itemsin>, <bytesout>, <bytesin>, <objecttype>, <url>
EVID 430005: File Malware EventN/A<severity>, <vmid>, <sip>, <dip>, <sport>, <dport>, <protname>, <action>, <hash>, <subject>, <threatname>, <objectname>, <objecttype>, <size>, <command>, <login>, <policy>, <url>
EVID 733100: Object Exceeded Threshold RateN/A<severity>, <vmid>, <threatname>, <subject>, <reason>
EVID 771002: System Clock SetN/A<severity>, <vmid>, <action>, <object>, <sip>
FirePower : User System MsgN/A<severity>, <vendorinfo>, <processid>, <threatid>, <sip>, <sport>, <result>, <protname>, <dport>
Firepower Authpriv System MsgN/A<sip>, <severity>, <vendorinfo>, <login>, <result>, <dip>, <process>, <processid>, <action>
FirePOWER Debug MesageN/A<severity>, <dname>, <sname>, <login>, <domainorigin>, <action>, <tag1>, <result>
FirePower Error Messages V6.4.0.4N/A<severity>, <vmid>, <subject>, <dip>, <dport>, <sip>, <sport>, <reason>, <sinterface>, <process>, <processid>, <quantity>
FirePOWER Informational MessageN/A<vendorinfo>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <domainorigin>, <object>, <objectname>, <subject>, <threatname>, <url>, <useragent>, <policy>, <command>, <action>, <reason>, <sender>, <recipient>, <bytesin>, <bytesout>, <itemsin>, <itemsout>, <tag1>
Firepower Local System MsgN/A<sip>, <severity>, <vendorinfo>, <result>, <protname>, <process>, <processid>
Firepower Malware EventsN/A<severity>, <dname>, <vendorinfo>, <hash>, <objecttype>, <threatname>, <sip>, <dip>
FirePower Vulnerability SignaturesN/A<vmid>, <severity>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <login>, <object>, <objectname>, <subject>, <threatname>, <version>, <group>, <result>, <tag1>
FirePOWER Warning MessageN/A<severity>, <dname>, <process>, <object>, <subject>, <sname>, <objecttype>, <protname>, <sip>, <sport>, <dip>, <dport>
Matching Connection For ICMPN/A<severity>, <vendorinfo>, <subject>, <dip>, <dport>, <sip>, <sport>, <object>, <sinterface>, <dinterface>, <protname>, <responsecode>, <snatip>, <dnatip>
Object DropN/A<severity>, <vendorinfo>, <action>, <subject>, <rate>, <amount>, <size>
Process Information 1N/A<severity>, <process>, <login>, <sip>, <action>, <url>, <status>, <vmid>, <object>, <policy>
Recieved ARPN/A<severity>, <vendorinfo>, <sip>, <dip>, <command>, <smac>, <dmac>, <sinterface>,
SFIMS : Catch All Level 1N/A<process>, <subject>, <object>, <dname>, <objectname>, <severity>, <protname>, <sip>, <sport>, <dip>, <dport>
SFIMS Apache Struts Server MessagesN/A<severity>, <sip>, <dip>, <dname>, <sport>, <dport>, <protname>, <object>, <objectname>, <subject>, <threatname>
SFIMS General MessagesN/A<dip>, <dport>, <dmac>, <protname>, <objecttype>, <subject>, <hash>, <command>, <sender>, <recipient>, <amount>, <tag1>, <tag2>
Translation Creation FailedN/A<severity>, <vendorinfo>, <sip>, <dip>, <protname>, <responsecode>, <sinterface>, <dinterface>, <status>, <object>

Revision History

KB VersionLog TypeChange TypeDetails
KB 7.1.620.0Syslog - Cisco FirepowerDevice DocumentationN/A