Elastic Stack 8 - Filebeat to monitor Cisco Firepower Firewalls

Filebeat Architecture

Configuring Cisco Firepower

The first thing we need to do is to configure our Cisco Firepower to send syslog informations to our Filebeat agent. To do this, we need to declare the syslog server and enable syslog to the rules we want to monitor.

Add syslog server object

• Go to Objects > Syslog servers and click Add button :

• Enter Syslog server informations (which is our elastic server) then click OK :

Configure logging

• From main Firewall configuration page go to Logging Settings :

• Go to Logging Settings menu and configure Logging :

Enable syslog to rules

• Edit Firewall rule(s) you want to monitor :

• Enable Logging :

Installing Filebeat

If you have not yet imported Elasticsearch PGP key and add repository definition, see part I.

• Install Filebeat :

root@host:~# apt install filebeat

• Edit /etc/filebeat/modules.d/cisco.yml to enable ftd/firepower module :

  ftd:
    enabled: true

    var.syslog_host: 0.0.0.0
    var.syslog_port: 514

• Edit /etc/filebeat/filebeat.yml to set filebeat :

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "elastic_password;)"
  ssl.verification_mode: none


# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://X.X.X.X:5601"
  ssl.verification_mode: none

• Restart Filebeat :

root@host:~# systemctl restart filebeat

Kibana

Check logs

Wait some minutes and open kibana.

• Go to Analytics > Discover :

• Select filebeat-* and verify that your Data arrives :

Dashboard

There is no predefined dashboard for Firepower devices, so we need to create a new one.

• Open main menu and go to Kibana > Dashboard :

• Click Create dashboard :

Maps

Goal

Procedure

• Click Create new Maps icon :

• Click Add layer > Choropleth :

• Set Boundaries source and Statistics source parameters, then click Save and return :

Gauge

Goal

Procedure

• Click Select type > Aggregation based > Gauge and search for filebeat :

• Add Filter select Aggregation then click Save and return :

Tag cloud

Goal

Procedure

• Click Select type > Aggregation based > Tag cloud and search for filebeat :

• Add Filter set Aggregation parameters then click Save and return :

Pie

Goal

Procedure

• Click Select type > Aggregation based > Pie and search for filebeat :

Source Port and Transport

• Set Metrics and Buckets parameters then click Save and return :

Destination Port and Transport

• Set Metrics and Buckets parameters then click Save and return :

Data table

Goal

Procedure

• Click Select type > Aggregation based > Data table and search for filebeat :

• Add Filter set Metrics and Buckets parameters then click Save and return :