Cisco Cisco Firepower Management Center 4000
31-4
FireSIGHT System User Guide
Chapter 31 Configuring External Alerting for Intrusion Rules
Using Syslog Responses
Step 6
Select either SNMP v2 or SNMP v3:
•
To configure SNMP v2, enter the IP address and the community name of the trap server you want
to use in the corresponding fields. See
to use in the corresponding fields. See
•
To configure SNMP v3, enter the IP address of the trap server you want to use, an authentication
password, a private password, and a user name in the corresponding fields. See
password, a private password, and a user name in the corresponding fields. See
for more information.
Note
You must select SNMP v2 or SNMP v3.
Note
When you enter an SNMP v3 password, the password displays in plain text during initial
configuration but is saved in encrypted format.
configuration but is saved in encrypted format.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Using Syslog Responses
License:
Protection
The system log, or syslog, is the standard logging mechanism for network event logging. You can send
syslog alerts, which are intrusion event notifications, to the syslog on an appliance. The syslog allows
you to categorize information in the syslog by priority and facility. The priority reflects the severity of
the alert and the facility indicates the subsystem that generated the alert. Facilities and priorities are not
displayed in the actual message that appears in syslog, but are instead used to tell the system that receives
the syslog message how to categorize it.
syslog alerts, which are intrusion event notifications, to the syslog on an appliance. The syslog allows
you to categorize information in the syslog by priority and facility. The priority reflects the severity of
the alert and the facility indicates the subsystem that generated the alert. Facilities and priorities are not
displayed in the actual message that appears in syslog, but are instead used to tell the system that receives
the syslog message how to categorize it.
Syslog alerts contain the following information:
•
date and time of alert generation
•
event message
•
event data
•
generator ID of the triggering event
•
Snort ID of the triggering event
•
revision
In an intrusion policy, you can turn on syslog alerting and specify the syslog priority and facility
associated with intrusion event notifications in the syslog. When you apply the intrusion policy as part
of an access control policy, the system then sends syslog alerts for the intrusion events it detects to the
syslog facility on the local host or on the logging host specified in the policy. The host receiving the
alerts uses the facility and priority information you set when configuring syslog alerting to categorize
the alerts.
associated with intrusion event notifications in the syslog. When you apply the intrusion policy as part
of an access control policy, the system then sends syslog alerts for the intrusion events it detects to the
syslog facility on the local host or on the logging host specified in the policy. The host receiving the
alerts uses the facility and priority information you set when configuring syslog alerting to categorize
the alerts.