Question & Answer
Question
On 10 June 2020, IBM released an automatic update for all users of the Cisco® Firepower Management Center DSM to disable log source auto discovery for syslog event data. In the same weekly update, the QRadar integration team released a new Cisco Firepower Threat Defense DSM. The purpose of this technical note is to inform administrators of these RPM changes and notify you that syslog data from Cisco Firepower Management Center appliances no longer discovers and creates log sources from syslog events.
Cause
IBM is updating DSM content and has published a new Cisco Threat Defense DSM that can auto discover syslog event data. Administrators are being alerted to the change in log source auto discovery for the Cisco Firepower Management Center DSM.
Answer
The Cisco Firepower Management Center DSM can accept and parse security events through the eStreamer protocol, API, and Syslog protocols. The QRadar integration team has disabled log source auto discovery for Firepower Management Center events. In the future, administrators might be required to move syslog log sources currently pointed at the Firepower Management Center DSM to the new Firepower Threat Defense DSM. We recommend that administrators talk to their users about rules, searches, or reports that use Firepower Management Center log source data before making a change. It is a good idea to update log source groups as administrators transition to the Cisco Firepower Threat Defense DSM.
Actions for Administrators
- Administrators can still use their existing Firepower Management Center log Sources; however, you might be required to migrate to the Cisco Firepower Threat Defense DSM in the future. Syslog parsing functionality might be removed from the Cisco Firepower Management Center DSM in a future release.
- Firepower Management Center log sources can still be created for syslog event data, but each new log source must be manually created.
- If you migrate your Firepower Management Center log sources to use the Firepower Threat Defense DSM, administrators need to review the impact this change has on rules, searches, or reports for your users. To avoid interruptions in reporting, administrators can contact your QRadar user base for teams that currently have searches or reports for Cisco Firepower Management Center events before you transition to using the Cisco Firepower Threat Defense DSM.
- Administrators received the RPM updates on 10 June 2020 through QRadar automatic updates. QRadar Consoles are updated with the new Firepower Threat Defense DSM. If you configure new alerts or setup new appliances, you might see your syslog event auto discover as Cisco Firepower Threat Defense.
- Administrators who manually update DSMs can download the latest version of the Cisco Firepower Management Center and Cisco Firepower Threat Defect DSMs. It is important that administrators update both DSMs to prevent parsing issues.
Fix Central links
For QRadar® 7.3.x administrators:
- 7.3.0-QRADAR-DSM-CiscoFirepowerManagementCenter-7.3-20200516020801.noarch.rpm
- 7.3.0-QRADAR-DSM-CiscoFirepowerThreatDefense-7.3-20200522003635.noarch.rpm
For QRadar 7.4.x administrators:
- 7.4.0-QRADAR-DSM-CiscoFirepowerManagementCenter-7.4-20200516020841.noarch.rpm
- 7.4.0-QRADAR-DSM-CiscoFirepowerThreatDefense-7.4-20200516020841.noarch.rpm
Important: Administrators must install both the Cisco Firepower Management Center DSM and the Cisco Firepower Threat Defense DSM updates to ensure there are no parsing issues or conflicts. These changes are not applied to QRadar 7.2.x appliances as the QRadar 7.2.x product is considered end of support by IBM.
Documentation links
- Cisco Firepower Threat Defense DSM Configuration Guide
- Cisco Firepower Management Center DSM Configuration Guide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.3.0;7.3.1;7.3.2;7.3.3;7.4.0","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
10 June 2020
UID
ibm16218922