Analyzing Firepower logs with pigtail
Did you ever run into a problem with Cisco Firepower that left you clueless as to why your policy deployment is failing? Have you ever asked yourself why your FMC High-Availability is not working correctly or why your new Firewall cannot register with its central manager? Then this is the right post for you. We will look into how pigtail, a CLI logging utility available on both FTD and FMC, can help you figuring out what is happening behind the scenes.
Pigtail is a highly sophisticated log analysis tool that… just kidding, it’s a perl script that basically tails different logfiles, color codes the output for better readability and normalizes logfile timestamps, which is available from SFCLI on FTD and the bash shell on FMC.
Before executing pigtail we will need to access the bash shell and change users to root:
Now let’s take a look at pigtail and options it provides:
The help page is quite detailed but can be summed up quickly. Basically you have some filter options that help you tail only specific logs in which you are interested in. For example you can use pigtail "deploy" to tail the deployment logs.
If you want to log all the information into a file, try this one:
Use the command below into this privilege:
If you need to download the file, go to your FMC under Health >> Monitor >> "FTD" >> Advanced troubleshooting >> Download file >> Copy the file name into the box >> OK.
You must copy your FTD CLI file to /ngfw/var/common/