Hi Guys,
We have been sending Cisco FTD logs to IDR but it is seems the logs are not being parsed. any pointers to look at?
We only expect to parse specific events from FTD, see examples here Cisco FirePower Threat Defense (FTD) | InsightIDR Documentation
430001, 430002 , 430003 are the events we expect to parse.
You’ll also want to ensure timestamps are set to log.
If other events are not being parsed that may be expected behavior
David
Thanks David. yeah I am sending those events only.
Could you give more details on the timestamps that R7 expects? I do see proper timestamps in the logs as below
Yeah the timestamps not being present at all is usually the issue, if the logs match what is shown in the docs I’d suggest you raise a support ticket for us to take a closer look
Hi David,
There was some minor misconfiguration on my side.
It works now. Thank you for your help.