Skip to content

Cisco

Overview

The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network. Therefore, the Cisco ASA firewall is the whole package, so to speak.

  • From the CISCO ASA machine to an internal log concentrator (Rsyslog), then forwarded to SEKOIA.IO

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Host network interface every packets are logged and information on the outcome, the source/destination are extracted
Network device logs ACL logs are examined in detail
Network protocol analysis ICMP, TCP and UDP packets are fully analyzed

Configure

CISCO ASA logs

On CISCO appliances, most of the important hardward and software activities that are relevant for security detection and analysis, are enable by one simple command. To enable logging, enter the following commands:

hostname(config)# logging enable
hostname(config)# logging timestamp
hostname(config)# logging trap informational

Transport to the concentrator

Prerequisites

The following prerequisites are needed in order to setup efficient log concentration:

  • Have administrator privileges on the CISCO ASA
  • Traffic towards the Rsyslog must be open on UDP 514

Configure the CISCO ASA

In ordre to forward the logs to a Rsyslog, please follow those commands:

Note the interface name

hostname(config)# show interface

Note the host name

hostname(config)# show hostname

You then have to configure an output destination for logs. Here, we choose to send syslog messages to an external syslog server.

hostname(config)# logging host interface_name syslog_ip [ tcp[/ port ] udp [/ port ]

Example:

hostname(config)# logging host interface_1 127.0.0.1 udp

Explanations:

  • The interface_name argument specifies the interface through which you access the syslog server.
  • The syslog_ip argument specifies the IP address of the syslog server.
  • The tcp[/ port ] or udp[/ port ] keyword and argument pair specify that the ASA and ASASM should use TCP or UDP to send syslog messages to the syslog server.
  • You can configure the ASA to send data to a syslog server using either UDP or TCP, but not both. The default protocol is UDP if you do not specify a protocol.

If you specify TCP, the ASA discovers when the syslog server fails and as a security protection, new connections through the ASA are blocked. If you specify UDP, the ASA continues to allow new connections whether or not the syslog server is operational. Valid port values for either protocol are 1025 through 65535. The default UDP port is 514. The default TCP port is 1470. For more information about Cisco ASA logging, please refer to your Cisco documentation.

Transport to SEKOIA.IO

Rsyslog

The reader is invited to consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.