Cisco Cisco Firepower Management Center 4000
31-6
FireSIGHT System User Guide
Chapter 31 Configuring External Alerting for Intrusion Rules
Understanding Email Alerting
Configuring Syslog Responses
License:
Protection
You can configure syslog alerting in an intrusion policy. After you apply the policy as part of an access
control policy, the system notifies you of any intrusion events it detects via the syslog. For more
information on syslog alerting, see
control policy, the system notifies you of any intrusion events it detects via the syslog. For more
information on syslog alerting, see
.
To configure syslog alerting options:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Syslog Alerting
under External Responses is enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
The Syslog Alerting page appears.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration.
See
See
for more information.
Step 5
Optionally, in the
Logging Hosts
field, enter the remote access IP address you want to specify as logging
host. Separate multiple hosts with commas.
Step 6
Select facility and priority levels from the drop-down lists.
See
for details on facility and priority options.
Step 7
Save your policy, continue editing, discard your changes, revert to the default configuration settings in
the base policy, or exit while leaving your changes in the system cache. See the
the base policy, or exit while leaving your changes in the system cache. See the
table for more information.
Understanding Email Alerting
License:
Protection
Email alerts are notifications of intrusion events by email. Email alerts include the following
information:
information:
•
total number of alerts in the database