Forum Discussion

MCT

Jun 16, 2020

Cisco IronPort .

We are trying to collect "CEF" logs from Cisco IronPort using Azure Sentinel. Syslog forwarder is configured on RHEL machine. we do get data for "syslog". However nothing under the "CommonSe...

Ofer_Shezaf

Microsoft

Jun 17, 2020

Consultant1520 as far as I know IronPort does not support CEF, only Syslog, so this is to be expected. The list in Azure Sentinel: Syslog, CEF, Logstash and other 3rd party connectors grand list indicates if a source supports CEF of Syslog.

Consultant1520
MCT
Jun 17, 2020
Ofer_Shezaf

Thanks for the reply Ofer.

I am not that Linux expert. I have a bit confusion around this statement.

Cisco ASA doesn't support CEF, so the logs are sent as Syslog and the Azure Sentinel agent knows how to parse them as if they are CEF logs. Configure Cisco ASA to forward Syslog messages to your Azure workspace via the Syslog agent: https://docs.microsoft.com/en-us/azure/sentinel/connect-cisco#step-2-forward-cisco-asa-logs-to-the-syslog-agent
- Ofer_Shezaf
  Microsoft
  Jun 18, 2020
  Consultant1520 : Cisco IronPort and Cisco ASA are unrelated products and behave differently. My answer and I blieve your original question was about IronPort.
  - Consultant1520
    MCT
    Jun 18, 2020
    Ofer_Shezaf
    
    Thanks. I was under impression that IronPort is kind of cisco ASA.
    
    We actually got the syslog for facility and auth.