Forum Discussion

Consultant1520's avatar
Consultant1520
Copper Contributor
Jun 16, 2020

Cisco IronPort .

We are trying to collect "CEF" logs from Cisco IronPort using Azure Sentinel.

Syslog forwarder is configured on RHEL machine.

we do get data for "syslog".

However nothing under the "CommonSecurityLog" . We can see the following error messages :-
Could not locate "CEF" message in tcpdump
Fetching CEF messages from daemon files.

tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
Located 0
CEF\ASA messages
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
Located 0
CEF\ASA messages
Error: no CEF messages received by the daemon.

sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2020-06-16T10:01:10.065437Z INFO ExtHandler ExtHandler [HEARTBEAT] Agent WALinuxAgent-2.2.48.1 is running as the goal state agent
Could not locate "CEF" message in tcpdump
Simulating mock data which you can find in your workspace
This will take 60 seconds.
sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Could not locate "CEF" message in tcpdump
Completed troubleshooting.

sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes



Resources