Analyzing Firepower logs with pigtail

Did you ever run into a problem with Cisco Firepower that left you clueless as to why your policy deployment is failing? Have you ever asked yourself why your FMC High-Availability is not working correctly or why your new Firewall cannot register with its central manager? Then this is the right post for you. We will look into how pigtail, a CLI logging utility available on both FTD and FMC, can help you figuring out what is happening behind the scenes.


Pigtail is a highly sophisticated log analysis tool that… just kidding, it’s a perl script that basically tails different logfiles, color codes the output for better readability and normalizes logfile timestamps, which is available from SFCLI on FTD and the bash shell on FMC.


Before executing pigtail we will need to access the bash shell and change users to root:

Now let’s take a look at pigtail and options it provides:


The help page is quite detailed but can be summed up quickly. Basically you have some filter options that help you tail only specific logs in which you are interested in. For example you can use pigtail "deploy" to tail the deployment logs.

If you want to log all the information into a file, try this one:


Use the command below into this privilege:


If you need to download the file, go to your FMC under Health >> Monitor >> "FTD" >> Advanced troubleshooting >> Download file >> Copy the file name into the box >> OK.


You must copy your FTD CLI file to /ngfw/var/common/


gif

117 views0 comments

Recent Posts

See All

The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentic

This post provides a step-by-step procedure for installing the hot patch released by Cisco for ISE servers, in light of the recent Log4j vulnerability (Apache Log4j Java Logging Library). More details

We have already seen how Umbrella works in previous posts and now let's do the basic configuration. https://www.stenge.info/post/umbrella-va Configuration Mode on a VA Deployed: When you open the VA i