Collect Cisco Firepower NGFW logs

This document explains how to ingest Cisco Firepower Next Generation Firewall (NGFW) logs to Google Security Operations using Bindplane. The parser extracts the logs from various formats (syslog, JSON, and combinations thereof), normalizes the timestamp, and maps relevant fields to the Unified Data Model (UDM). It handles both conventional syslog messages and JSON-formatted payloads within the logs, leveraging grok patterns and conditional logic to extract fields like event ID, severity, and client IP, then enriches the data with labels based on HTTP Hostname and URI.

Before you begin

Make sure you have the following prerequisites:

• Google SecOps instance
• Windows 2016 or later, or a Linux host with systemd
• If running behind a proxy, ensure firewall ports are open
• Privileged access to a Cisco Firepower device

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the ingestion authentication file.
   • Save the file securely on the system where BindPlane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

1. Open the Command Promptor PowerShellas an administrator.

2. Run the following command:

     msiexec 
     
    / 
    i 
     
    "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
     
    / 
    quiet 
    
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

    sudo  
   sh  
   -c  
    " 
    $( 
   curl  
   -fsSlL  
   https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
    " 
     
   install_unix.sh 
   

Additional installation resources

For additional installation options, consult the installation guide .

Configure the Bindplane Agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:
   • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano , vi , or Notepad).

2. Edit the config.yaml file as follows:

     receivers 
    : 
     
    udplog 
    : 
     
    # Replace the port and IP address as required 
     
    listen_address 
    : 
     
    "0.0.0.0:514" 
    exporters 
    : 
     
    chronicle/chronicle_w_labels 
    : 
     
    compression 
    : 
     
    gzip 
     
    # Adjust the path to the credentials file you downloaded in Step 1 
     
    creds_file_path 
    : 
     
    '/path/to/ingestion-authentication-file.json' 
     
    # Replace with your actual customer ID from Step 2 
     
    customer_id 
    : 
     
   < customer_id 
   >  
    endpoint 
    : 
     
    malachiteingestion-pa.googleapis.com 
     
    # Add optional ingestion labels for better organization 
     
    log_type 
    : 
     
    'CISCO_FIREPOWER_FIREWALL' 
     
    raw_log_field 
    : 
     
    body 
     
    ingestion_labels 
    : 
    service 
    : 
     
    pipelines 
    : 
     
    logs/source0__chronicle_w_labels-0 
    : 
     
    receivers 
    : 
     
    - 
     
    udplog 
     
    exporters 
    : 
     
    - 
     
    chronicle/chronicle_w_labels 
    
   

   • Replace the port and IP address as required in your infrastructure.
   • Replace <customer_id> with the actual customer ID.
   • Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

   sudo  
  systemctl  
  restart  
  bindplane-agent 
  

• To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

   net stop BindPlaneAgent && net start BindPlaneAgent 
  

Configure Syslog on Cisco FirePower Device

1. Sign in to the Firepower Device Manager web UI.
2. Go to System Settings > Logging Settings.
3. Switch to Enablethe Data Loggingtoggle.
4. Click the +icon under Syslog Servers.
5. Click Create new Syslog Server. (Alternatively, you can create the Syslog Serverin Objects > Syslog Servers).
6. Provide the following configuration details:
   • IP Address: Enter the Bindplane agent IP address.
   • Protocol Type: Select UDP.
   • Port Number: Enter the Bindplane agent port number.
   • Select Data Interfaceor Management Interface.
7. Click OK.
8. Select the newly created Syslog serverfrom the list and click OK.
9. Click Severity level for filtering all eventsand select Informationallogging level from the list.
10. Click Save.
11. Click the Deploy New Settings icon > Deploy Now.
12. Click Policiesat the top of the screen.
13. Hover over the right side of the ACP ruleand click edit Edit.
14. Go to the Loggingtab.
15. Select At End of Connection.
16. Open the Select a Syslog Alert Configurationlist.
17. select the Bindplane Syslog Server.
18. Click OK.
19. Click the Deploy New Settings icon > Deploy Now.

UDM mapping table

Log Field	UDM Mapping	Logic
AccessControlRuleAction	security_result.action	Directly mapped from the raw log. Values are normalized to UDM (ALLOW/BLOCK).
AccessControlRuleName	security_result.rule_name	Directly mapped from the raw log.
ACPolicy	security_result.rule_labels.value	Directly mapped from the raw log. Key is set to "ACPolicy".
ApplicationProtocol	network.application_protocol	Directly mapped from the raw log.
Client	network.http.user_agent	Directly mapped from the raw log.
ClientVersion	principal.asset.platform_version	Directly mapped from the raw log.
collection_time.nanos	metadata.event_timestamp.nanos	Directly mapped from the raw log.
collection_time.seconds	metadata.event_timestamp.seconds	Directly mapped from the raw log.
ConnectionDuration	network.session_duration.seconds	Directly mapped from the raw log, converted to seconds if necessary (e.g., from duration format).
data	metadata.description	Used in conjunction with eventId to generate a more descriptive description. Also used to extract other fields using grok and regular expression.
deviceId	metadata.product_log_id	Directly mapped from the raw log after renaming to device_uuid .
device_uuid	metadata.product_log_id	Directly mapped from the raw log.
DstIP	target.asset.ip , target.ip	Directly mapped from the raw log.
DstPort	target.port	Directly mapped from the raw log.
EgressInterface	principal.asset.attribute.labels.value	Directly mapped from the raw log. Key is set to "EgressInterface".
EgressZone	target.location.name	Directly mapped from the raw log.
eventId	metadata.product_event_type	Directly mapped from the raw log. Also used for conditional logic and filtering.
FileAction	security_result.summary	Directly mapped from the raw log.
FileDirection	metadata.description	Directly mapped from the raw log and appended to the description.
FileName	target.file.full_path	Directly mapped from the raw log.
FilePolicy	security_result.rule_name	Directly mapped from the raw log.
FileSize	target.file.size	Directly mapped from the raw log.
FileSHA256	target.file.sha256	Directly mapped from the raw log.
FileSandboxStatus	security_result.description	Directly mapped from the raw log.
HTTPReferer	network.http.referral_url	Directly mapped from the raw log.
HTTPResponse	network.http.response_code	Directly mapped from the raw log.
HTTP_Hostname	target.resource.attribute.labels.value	Directly mapped from the raw log. Key is set to "HTTP_Hostname".
HTTP_URI	target.resource.attribute.labels.value	Directly mapped from the raw log. Key is set to "HTTP_URI".
IngressInterface	principal.asset.attribute.labels.value	Directly mapped from the raw log. Key is set to "IngressInterface".
IngressZone	principal.location.name	Directly mapped from the raw log.
InitiatorBytes	network.received_bytes	Directly mapped from the raw log.
InlineResult	security_result.action_details	Directly mapped from the raw log.
IntrusionPolicy	security_result.rule_name	Directly mapped from the raw log.
log_type	metadata.log_type	Directly mapped from the raw log.
Message	security_result.description	Directly mapped from the raw log, often prepended with "Message : ".
NAPPolicy	principal.asset.attribute.labels.value	Directly mapped from the raw log. Key is set to "NAPPolicy".
Prefilter Policy	security_result.rule_labels.value	Directly mapped from the raw log. Key is set to "Prefilter Policy".
Priority	security_result.priority_details	Directly mapped from the raw log.
priorityId	security_result.priority_details	Directly mapped from the raw log.
product	metadata.product_name	Set to "Firepower Firewall".
Protocol	network.ip_protocol	Directly mapped from the raw log. Values are normalized to UDM (TCP, UDP, ICMP, etc.).
ResponderBytes	network.sent_bytes	Directly mapped from the raw log.
Revision	security_result.about.labels.value	Directly mapped from the raw log. Key is set to "Singnature_Version".
ruleId	security_result.rule_id	Directly mapped from the raw log.
security_result.severity	security_result.severity	Set based on the severity field from the raw log, using a lookup table for mapping to UDM severity values.
security_result.severity_details	security_result.severity_details	Set based on the severity field from the raw log, using a lookup table for mapping to UDM severity details.
SID	security_result.threat_id	Directly mapped from the raw log.
SrcIP	principal.asset.ip , principal.ip	Directly mapped from the raw log.
SrcPort	principal.port	Directly mapped from the raw log.
syslog_msg_id	metadata.product_event_type	Directly mapped from the raw log after being converted to a string. Used to override the eventId if present.
syslog_msg_text	metadata.description , security_result.description	Directly mapped from the raw log, sometimes prepended with "Message : ". Used to override the description generated from data and eventId .
syslog_severity	security_result.severity	Directly mapped from the raw log after being converted to a string. Used to override the severity derived from eventId . Values are normalized to UDM (INFORMATIONAL, WARNING, ERROR, etc.).
sysloghost	intermediary.hostname	Directly mapped from the raw log.
ThreatName	security_result.threat_name	Directly mapped from the raw log.
ts	metadata.event_timestamp	Parsed from the raw log using date filters and various formats.
ts_year	metadata.event_timestamp	Parsed from the raw log using date filters and various formats.
URL	target.url	Directly mapped from the raw log.
URLCategory	security_result.category_details	Directly mapped from the raw log.
URLReputation	security_result.confidence_details	Directly mapped from the raw log.
User	target.user.userid	Directly mapped from the raw log.
UserAgent	network.http.user_agent	Directly mapped from the raw log.
UserName	target.user.userid	Directly mapped from the raw log.
user_name	principal.user.email_addresses	Directly mapped from the raw log for specific event types.
WebApplication	target.application	Directly mapped from the raw log.
metadata.event_type is set to a default value of NETWORK_CONNECTION and is sometimes overridden based on the eventId or other fields.
metadata.vendor_name is always set to "Cisco".

Need more help? Get answers from Community members and Google SecOps professionals.