To enable audit logging on the FMC so that FireMon gets the syslog messages required for this:
- Login to the FMC
- System > Configuration > Audit Log
- Set "Send Audit Log to Syslog" to Enabled
- Set "Host" to the IP address of the DC monitoring the FMC and it's devices
Central syslog server on FireMon Administration> system>centralsyslog servers must be configured with the FMC's IP address and each firewall must be configured with a Syslog Match Name that matches it's device name.
Currently our regex by default to detect changes is:
sfdccsm.?\s(?<userName>\S+)@.?Policy\sDeployment.*?SUCCESS
This could be adjusted anytime if the device change the format and we have to adopt this change in our regex in order to continue capturing automatic changes.
In case the format has changed on the Firewall side, we can adjust FireMon by navigating to Administration>Device>collection Configurations>Deviceinquestion* >duplicate the current regex.
Example:
Logging/Usage:
To enable logging for each rule:
- Login to FMC
- Policies > Access Control > Access Control
- Edit the rule
- Check "Log at End of Connection" under Logging tab
- Check "Syslog" under the "Send Connection Events to:"
- Select the syslog server that was created for the FireMon Data Collector that will watch this device
Comments
0 comments
Article is closed for comments.