Refer to the official Cisco documentation below to configure log forwarding from Cisco FTD.
The Scope application supports ingestion of Cisco FTD logs in the Syslog format.
2019-08-16T09:54:00Z firepower %FTD-0-430001: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 55644, DstPort: 80, Protocol: tcp, IngressInterface: inside, EgressInterface: outside, GID: 1, SID: 17279
2023-03-27T08:41:37Z %FTD-1-430003: EventPriority: Low, DeviceUUID: 48a00000-8e53-11ec-9a0c-d396ffaa0000, InstanceID: 2, FirstPacketSecond: 2023-03-27T08:41:07Z, ConnectionID: 48101
Aug 14 2019 14:54:25 siem-ftd %FTD-1-430004: SrcIP: 10.0.1.20, DstIP: 10.0.100.30, SrcPort: 41522, DstPort: 8000, Protocol: tcp, FileDirection: Download, FileAction: Detect, FileName: exploit.exe
Jan 1 2019 01:00:27 beats asa[1234]: %FTD-7-999999: This message is not filtered.
<166>Sep 29 2022 15:00:15 hosty : %FTD-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF0079F5A) between 192.168.0.139 and 192.168.0.38 has been created.
<166>: 2024 Dec 18 13:59:59 UTC 120d5caa-81a7-11eb-91b2-705267e934b4 : %FTD-auth-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.21.16.9
<13>May 14 17:42:58 10.20.22.24 LOGSTASH[-]: 2025-05-14T17:42:58.119Z 10.20.22.24 <190>May 14 2025 17:42:47: %FTD-6-805002: UDP Flow is no longer offloaded for connection 2745582050
2026-02-23T19:08:28.140Z 10.20.13.52 <190>Feb 23 2026 19:08:28: %FTD-6-302020: Built inbound ICMP connection for faddr 2620:0:3c0:de20:79bd:cd3f:ccfd:c0df/0
<14>Aug 14 2019 13:56:30 platformSettingEdit.cgi: siem-management: admin@10.0.255.31, System > Configuration > Configuration > /platinum/platformSettingEdit.cgi?type=AuditLog, Page View
2025-05-05T10:39:20+00:00 REDACTEDHOST SF-IMS[5961]: [23931] sftunneld:control_services [INFO] Interface tap_nlp (10.10.10.10) from 10.10.10.10 is up