Secure Firewall Management Center Alert Responses
External event notification via SNMP, syslog, or email can help with critical-system monitoring. The Secure Firewall Management Center uses configurable alert responses to interact with external servers. An alert response is a configuration that represents a connection to an email, SNMP, or syslog server. They are called responses because you can use them to send alerts in response to events detected by Firepower. You can configure multiple alert responses to send different types of alerts to different monitoring servers and/or people.
Note |
Depending on your device and Firepower version, alert responses may not be the best way to send syslog messages. See the About Syslog chapter in the Cisco Secure Firewall Management Center Device Configuration Guide. |
Note |
Alerts that use alert responses are sent by the Secure Firewall Management Center. Intrusion email alerts, which do not use alert responses, are also sent by the Secure Firewall Management Center. By contrast, SNMP and syslog alerts that are based on individual intrusion rules triggering are sent directly by managed devices. |
In most cases, the information in an external alert is the same as the information in any associated event you logged to the database. However, for correlation event alerts where the correlation rule contains a connection tracker, the information you receive is the same as for an alert on a traffic profile change, regardless of the base event type.
You create and manage alert responses on the Alerts page (). New alert responses are automatically enabled. To temporarily stop alert generation, you can disable alert responses rather than deleting them.
Changes to alert responses take effect immediately, except when sending connection logs to an SNMP trap or syslog server.
In a multidomain deployment, when you create an alert response it belongs to the current domain. This alert response can also be used by descendant domains.
Configurations Supporting Alert Responses
After you create an alert reponse, you can use it to send the following external alerts from the Secure Firewall Management Center.
Alert/Event Type |
For More Information |
---|---|
Intrusion events, by impact flag |
|
Discovery events, by type |
|
Malware and retrospective malware events detected by malware defense ("network-based") |
|
Health events, by health module and severity level |