Forum Discussion
MCAS - Log Collector - Configuration Not Sending to MCAS
I'm fairly new to MCAS. Am attempting to get an onPrem log collector (docker) to transmit ASA logs to the log collector in MCAS. However, something is not working.
This docker instance is running within a hyper-v 2016 guest (Guest: Windows Server 2019).
The source is an ASA 5508 sending syslog (level 6) to the docker instance on TCP 20000. Host firewall inbound rule allows TCP 20000 from the ASA.
Within Azure MCAS, it shows the log collector is "Connected" - Warning: No data was received since log collection deployment. Make sure you complete on-premises configuration of your network appliances.
From a review of a NetMon network trace, run from the host, we are receiving traffic from the ASA on TCP 20000. Netstat does show the server is listening on TCP 20000. Below is docker run command.
Have opened a case with MS, but they claim to be new as MCAS and docker.
Any ideas why I'm not getting data?
docker run
--name ASALogCollector
-p 20000:20000/tcp
-p 21:21
-p 20001-20099:20001-20099
-e "PUBLICIP='internalhost.acme.com'"
-e "PROXY="
-e "SYSLOG=true"
-e "CONSOLE=xxxxx.us3.portal.cloudappsecurity.com"
-e "COLLECTOR=ASALogCollector"
--security-opt apparmor:unconfined
--cap-add=SYS_ADMIN
--restart unless-stopped
-a stdin
-i microsoft/caslogcollector starter
5 Replies
- Hi Shawn,
Can you please PM me with your case Id, so that I can make sure it is being handled by our support experts?
Thanks,
Danny.Danny Kadyshevitch Was this resolved? I am having the same problem. My log collector is receiving ftp log files from my Palo Alto NGFW but not sending them to MCAS.
Do you see a lot of lsof processes running taking up a lot of CPU time? I had to bypass the lsof process in the container (remove lsof, link /bin/true to lsof) to get it to work. I understand that's fixed in the current version though. If you do see high CPU usage by lsof let me know and I'll provide detailed instructions.
