External event notification via SNMP, syslog, or email can help with critical-system monitoring. The Firepower Management
Center uses configurable alert responses to interact with external servers. Various logging and alerting configurations use these alert responses to send external alerts in addition to—or sometimes instead of—logging events to the Firepower System database.
Alerts that use alert responses are sent by the Firepower Management
Center. Intrusion email alerts, which do not use alert responses, are also sent by the Firepower Management
Center. By contrast, SNMP and syslog alerts that are based on individual intrusion rules triggering are sent directly by managed devices. For more information, see External Alerting for Intrusion Events.
In most cases, the information in an external alert is the same as the information in any associated event you logged to the database. However, for correlation event alerts where the correlation rule contains a connection tracker, the information you receive is the same as for an alert on a traffic profile change, regardless of the base event type.
You create and manage alert responses on the Alerts page (). New alert responses are automatically enabled. To temporarily stop alert generation, you can disable alert responses rather than deleting them.
If you are using alert responses to send connection logs to an SNMP trap or syslog server (external email alerting is not supported for connection events), you must deploy configuration changes after you edit those alert responses. Otherwise, changes to alert responses take effect immediately.
In a multidomain deployment, when you create an alert response it belongs to the current domain. This alert response can also be used by descendant domains.