Configuring Cisco Firepower Threat Defense to communicate with QRadar

To send intrusion or connection events to QRadar by using the syslog protocol, you need to enable external logging and configure basic settings on your Cisco Firepower appliance.

Procedure

  1. Log in to your Cisco Firewall appliance.
  2. Enable external logging. For more information, see FTD Platform Settings That Apply to Security Event Syslog Messages (https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/platform_settings_for_firepower_threat_defense.html#id_84926).
  3. Enable Logging Destinations. For more information, see FTD Platform Settings That Apply to Security Event Syslog Messages (https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/platform_settings_for_firepower_threat_defense.html#id_84926).
  4. Deploy changes. For more information, see Deploy Configuration Changes (https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/policy_management.html#task_75E181687ECF4EFC8EB6AF4509C20C0B).

What to do next

If QRadar does not automatically detect the log source, add a log source in QRadar. For more information, see Adding a log source.