Forum Discussion

Consultant1520's avatar
Consultant1520
MCT
Jun 16, 2020

Cisco IronPort .

We are trying to collect "CEF" logs from Cisco IronPort using Azure Sentinel. Syslog forwarder is configured on RHEL machine. we do get data for "syslog". However nothing under the "CommonSe...
Consultant1520's avatar
Consultant1520
MCT
Jun 17, 2020

Ofer_Shezaf 


Thanks for the reply Ofer.

I am not that Linux expert.  I have a bit confusion around this statement. 

 

Cisco ASA doesn't support CEF, so the logs are sent as Syslog and the Azure Sentinel agent knows how to parse them as if they are CEF logs. Configure Cisco ASA to forward Syslog messages to your Azure workspace via the Syslog agent:  https://docs.microsoft.com/en-us/azure/sentinel/connect-cisco#step-2-forward-cisco-asa-logs-to-the-syslog-agent
Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Jun 18, 2020

Consultant1520 : Cisco IronPort and Cisco ASA are unrelated products and behave differently. My answer and I blieve your original question was about IronPort. 

  • Consultant1520's avatar
    Consultant1520
    MCT
    Jun 18, 2020

    Ofer_Shezaf 

     

    Thanks. I was under impression that IronPort is kind of cisco ASA. 

    We actually got the syslog for facility  and auth. 

    • tomfoucha's avatar
      tomfoucha
      Copper Contributor
      Aug 16, 2021
      Cisco Secure Email Gateway (aka IronPort) does support CEF formatted logs but you have to add a New Log Subscription and select the fields you want in single log line format. These logs can be delivered via syslog or AWS S3 buckets.