Forum Discussion

AdiGrio's avatar
AdiGrio
Brass Contributor
Nov 17, 2019

Cisco ASA log entries duplicated in CommonSecurityLog and Syslog

Hi, I have some Cisco ASA firewalls sending their logs to the Sentinel collector (running on rsyslog) and I can see that most of the log entries in the CommonSecurityLog are also recorded in the Sys...
  • AdiGrio's avatar
    AdiGrio
    Brass Contributor
    Nov 18, 2019

    Nicholas DiCola (SECURITY JEDI) 

     

    Thanks for your reply and yes, the instructions to configure the log collection for ASA were followed as I mentioned in my original post and we are getting the log entries parsed in CommonSecurityLog. Would we get them if the CEF collector was not configured properly? I have this happening in two Sentinel instances. One has a low volume of ASA logs so the effect was negligible but the other one cannot be ignored. The volume of data ingested per day for the two logs is almost the same:

     

     

    Regards,

    Adrian

    • Nicholas DiCola (SECURITY JEDI)'s avatar
      Nicholas DiCola (SECURITY JEDI)
      Former Employee
      Nov 19, 2019

      AdiGrio 

      yes its possible misconfiguration.  can you share what steps you followed and the config files you are using?  they should be generic configs.

      • a_kefallonitis's avatar
        a_kefallonitis
        Copper Contributor
        Oct 13, 2020

        Did you find any solution on this AdiGrio? i have the same issue with the default installation. 

        Also do you know if there is a way for syslog not written in /var/log/messages ?

Resources