Cisco Firepower are the worst firewalls in the entire universe, but this is not the object here… I'm only going to talk about monitoring this crap in a Elastic Stack environment.
To do this, we're going to work with the Filebeat module.
One good thing is that Filebeat comes with a Cisco module that can handle Firepower logs sent via syslog. The bad thing is that there is no preset dashboard so we will have to create one manually.
The first thing we need to do is to configure our Cisco Firepower to send syslog informations to our Filebeat agent. To do this, we need to declare the syslog server and enable syslog to the rules we want to monitor.
If you have not yet imported Elasticsearch PGP key and add repository definition, see part I.
root@host:~# apt install filebeat
ftd: enabled: true var.syslog_host: 0.0.0.0 var.syslog_port: 514
# ---------------------------- Elasticsearch Output ---------------------------- output.elasticsearch: # Array of hosts to connect to. hosts: ["localhost:9200"] # Protocol - either `http` (default) or `https`. protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" username: "elastic" password: "elastic_password;)" ssl.verification_mode: none # =================================== Kibana =================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration. setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 host: "https://X.X.X.X:5601" ssl.verification_mode: none
root@host:~# systemctl restart filebeat
Wait some minutes and open kibana.
There is no predefined dashboard for Firepower devices, so we need to create a new one.