External event notification via SNMP, syslog, or email can help with critical-system monitoring. The Firepower Management
Center uses configurable alert responses to interact with external servers. An alert response is a configuration that represents a connection to an email, SNMP, or syslog server. They are called responses because you can use them to send alerts in response to events detected by Firepower. You can configure multiple alert responses to send different types of alerts to different monitoring servers and/or people.
Alerts that use alert responses are sent by the Firepower Management
Center. Intrusion email alerts, which do not use alert responses, are also sent by the Firepower Management
Center. By contrast, SNMP and syslog alerts that are based on individual intrusion rules triggering are sent directly by managed devices. For more information, see External Alerting for Intrusion Events.
In most cases, the information in an external alert is the same as the information in any associated event you logged to the database. However, for correlation event alerts where the correlation rule contains a connection tracker, the information you receive is the same as for an alert on a traffic profile change, regardless of the base event type.
You create and manage alert responses on the Alerts page (). New alert responses are automatically enabled. To temporarily stop alert generation, you can disable alert responses rather than deleting them.
If you are using alert responses to send connection logs to an SNMP trap or syslog server (external email alerting is not supported for connection events), you must deploy configuration changes after you edit those alert responses. Otherwise, changes to alert responses take effect immediately.
In a multidomain deployment, when you create an alert response it belongs to the current domain. This alert response can also be used by descendant domains.