Following are the steps I used to connect our Cisco FirePower Management Center 220.127.116.11 on VMWare to our Solarwinds LEM/SEM 2020.2.1.
I'm sharing since others have posted helpful info for me to use. Paying it forward. 🙂
1. Choose FMC > Policies> Access Control> Access Control Policy> ACLPolicy-Internet (our Policy name)> Logging. Adding the new syslog to point to the SEM IP Address and pointing to facility Local0 and severity INFO.
2. Choose FMC > Policies> Access Control> Access Control Policy> ACLPolicy-Internet (our Policy name)> Security Intelligence> DNS Policy, Click on the DNS Black List Options (Paper Scroll icon). From here Activate the [x] Syslog Server.
3. In our case we did the same for the other logs we were wanting which were the Network Blacklist logging options, and the URL Blacklist Logging.
4. Save Settings
5. Attach to the Solarwinds Console
6. Confirmed the SysLogs were piping over via the CMC : Appliance > checklogs command.
7. In step 1. Above I set the facility to Local0... which in my SEM, the logs are pipped into log : Syslog local0 Log (34K). Before Step 1 was setup and saved this showed as SysLog Local0 Log (Empty).
8. Login to SolarWinds SEM/LEM console.
9. Choose Manage> Nodes> Scan for New Nodes,
10. Wait for scan to complete Activate the newly found node for the FMC
11. Check [x] Yes, Monitor the 1 node(s): with FMC ip address
12. Check [x] Cisco FirePOWER model (Sourcefire 3D system): FirePower Connector Discovery
13. The SEM then used the correct connector config.
14. The IP Address and connector will showed up for the Node IP, Node Name.
15. Then looked in nDepth and found logs were showing up.
Hope this helps others attempting to connect these.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.