Firepass 4300 Logging

Question

Hello all, my group at work has the honor of gathering security device logs from all devices for ArcSight to parse and normalize.  Our organization has Firepass 4300's and unfortunately we do not have access to the devices to look at their logging setup.  They are sending us the logs via syslog but we are receiving very little data. It's almost like they have turned on the lowest level of logging available.  Can anyone explain how the firepass logging is configured so we can recommend a logging setting to the device group?  Also, does anyone have a good Firepass FlexConnector for Arcsight in their organization that they wouldn't mind sharing?   Thanks for any help. 
&nbsp;  
&nbsp; -kevin

mike_61719 · Answer

Each logging addition adds load onto the Firepass, this is not a regular server. I would recommend turning on app logging if you want application logs. Basically FTP the app logs off once it reaches a certain size or date.

ioncannon23_529 · Answer

Mike, thanks for the message.  Right now we are receiving syslog from the firepass directly and it seems to be working fine save for the fact Arcsight cannot properly parse the logs.  So what exactly will the application level logging show? 
&nbsp;  
&nbsp; -kevin

mike_61719 · Answer

Links clicked on by the user, you will have to log the data differently. Syslog is not meant to capture user or admin data.

Forum Discussion

Firepass 4300 Logging

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

Logging DNS Requests

CEF logs F5

Log Http Headers

ASM LOGS

ASM logs

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS