Symptom

Intrusion events are not visible in FMC GUI under Analysis > Intrusions > Events. Default-set HOME_NET value changes in FMC GUI should warn for a potential misconfiguration of the variable set, that could impact Intrusion Events log to FMC GUI (events may NOT occur). FTD will not generate "snort-unified.log" logs after HOME_NET variable set misconfiguration. FTD could show error in log messages: firepower snort: [41560] sfpreproc:DataMessaging_EventQueue [CRITICAL] Could not extract the snort instance from /ngfw/var/cisco/deploy/sandbox/exported-files/snort-validation-output//snort-unified.log!

Conditions

FMC Virtual 7.2.2 snort.unified files are not generated in FTD (or are empty) if there is a HOME_NET value misconfiguration. FTD will not generate "snort-unified.log" logs under /ngfw/var/sf/detection_engines/*/instance-*

Workaround

Intrusion Events are seen after modifying/correcting HOME_NET value (or reverting to default values) saving and deploying. Ensure Variable Set (Default-Set) HOME_NET value configuration is correct. HOME_NET value should contain network object(s) that corresponds to the source traffic to be inspected by IPS.

Further Problem Description