top of page

Analyzing Firepower logs with pigtail

Did you ever run into a problem with Cisco Firepower that left you clueless as to why your policy deployment is failing? Have you ever asked yourself why your FMC High-Availability is not working correctly or why your new Firewall cannot register with its central manager? Then this is the right post for you. We will look into how pigtail, a CLI logging utility available on both FTD and FMC, can help you figuring out what is happening behind the scenes.

Pigtail is a highly sophisticated log analysis tool that… just kidding, it’s a perl script that basically tails different logfiles, color codes the output for better readability and normalizes logfile timestamps, which is available from SFCLI on FTD and the bash shell on FMC.

Before executing pigtail we will need to access the bash shell and change users to root:

Now let’s take a look at pigtail and options it provides:

The help page is quite detailed but can be summed up quickly. Basically you have some filter options that help you tail only specific logs in which you are interested in. For example you can use pigtail "deploy" to tail the deployment logs.

If you want to log all the information into a file, try this one:

Use the command below into this privilege:

If you need to download the file, go to your FMC under Health >> Monitor >> "FTD" >> Advanced troubleshooting >> Download file >> Copy the file name into the box >> OK.

You must copy your FTD CLI file to /ngfw/var/common/

780 views0 comments

Recent Posts

See All

Duologsync (DLS) is a utility written by Duo Security that supports fetching logs from Duo endpoints and ingesting them to different SIEMs. Logging: A logging filepath can be specified in config.yml.

Syslog is a protocol that computer systems use to send event data logs to a central location for storage. Logs can then be accessed by analysis and reporting software to perform audits, monitoring, tr

ISE Repositories can be configured from both the GUI and the CLI of the ISE and can be used for these purposes: ➛ Backup and Restore of ISE Configuration and Operational data; ➛ Upgrade of ISE nodes;

bottom of page