search

rnwolfe / fmc-tools

A collection of tools for common tasks needed on the Cisco Firepower Management Center using a fork of the fireREST library.
39 stars 13 forks source link

Enable syslog? #7

Closed d4np3 closed 3 years ago

d4np3 commented 3 years ago

Am I missing something or does this only set the override/server and not actually enable syslog itself if it is not configured?

I have a 300+ ruleset without syslog, and it bails out as follows on TCAT:

"syslogSeverity or syslogConfig cannot be specified without setting enableSyslog to true"

It did work for a couple of rules where I manually enabled the log to syslog checkbox.

rnwolfe commented 3 years ago

Been a while since I worked on this and the FMC API could have changed a little, but if I recall correctly, you have to specify whether to log at the end or start of a session to enable syslog.

Example below. This is in the README file, as well.


# Logging settings
#  Leave variable empty (var = '') if you don't want to include the setting
syslog_to_server = 'api-syslog-server'
log_to_fmc = 'true'
log_at_begin = 'false'
log_at_end = 'true'

If the API did change a bit for syslog settings, you could update the script pretty easily to include the new field.

d4np3 commented 3 years ago

Thanks for the reply! Yeah there is a log to syslog option that is the same as the connection check boxes. Then the syslog server is the overriding sub option. Like you have log_to_fmc, I expect you would need a log_to_syslog in addition to the syslog_to_server (which sets the default override instead of master syslog)

rnwolfe commented 3 years ago

Yes, sounds like the settings changed a bit since I made this. But it sounds like you just need to add a syslogEnabled setting to the payload.

Should be an easy change for you to make. I don’t really maintain this and don’t have an FMC readily available to test with.

On Mon, Jun 28, 2021 at 8:28 AM d4np3 @.***> wrote:

Thanks for the reply! Yeah there is a log to syslog option that is the same as the connection check boxes. Then the syslog server is the overriding sub option. Like you have log_to_fmc, I expect you would need a log_to_syslog in addition to the syslog_to_server (which sets the default override instead of master syslog)

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/rnwolfe/fmc-tools/issues/7#issuecomment-869642640, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB33G4X4XPM2PYSEAHNV6BLTVBTHFANCNFSM47NAAQVA .

d4np3 commented 3 years ago

Thanks mate. I'll give it a go

On Mon, 28 Jun 2021, 22:30 Ryan, @.***> wrote:

Yes, sounds like the settings changed a bit since I made this. But it sounds like you just need to add a syslogEnabled setting to the payload.

Should be an easy change for you to make. I don’t really maintain this and don’t have an FMC readily available to test with.

On Mon, Jun 28, 2021 at 8:28 AM d4np3 @.***> wrote:

Thanks for the reply! Yeah there is a log to syslog option that is the same as the connection check boxes. Then the syslog server is the overriding sub option. Like you have log_to_fmc, I expect you would need a log_to_syslog in addition to the syslog_to_server (which sets the default override instead of master syslog)

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/rnwolfe/fmc-tools/issues/7#issuecomment-869642640, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AB33G4X4XPM2PYSEAHNV6BLTVBTHFANCNFSM47NAAQVA

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/rnwolfe/fmc-tools/issues/7#issuecomment-869643978, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUQZD6Y5VS4V7L23FQB7V4TTVBTPNANCNFSM47NAAQVA .

d4np3 commented 3 years ago

I got it working. I changed your old syslog server config to syslog override (which is the alert override setting it does set in the newer versions if checkbox is already enabled)

Here is the gist of the basic enable syslog check box.

  log_to_syslog = 'true'

  if 'enableSyslog' not in acp_rule:
        # Get the existing rule configuration
        # Set syslog configuration
        payload['enableSyslog'] = {
            'id': log_to_syslog
        }
    else:
        print('  Syslog logging already exists, or not specified. Skipping syslog config.')

 if log_to_syslog and ('enableSyslog' not in acp_rule or 'enableSyslog' != log_to_syslog):
        payload['enableSyslog'] = log_to_syslog
    else:
        print('  Log to Syslog not already set, or not specified. Skipping log to syslog.')

        payload['enableSyslog'] = 'true'