Forum Discussion
Has anyone successfully got a Cisco ASA data connector working?
I have a Cisco ASA successfully sending the logs to rsyslog via UDP 514 on an Ubuntu 18.04 server. The logs are successfully processed by the OMSAgent and sent to sentinal as syslogs and are not pars...
AppropriateTangerine I've got the connector working, but the logs are not parsed correctly so they are useless once in Sentinel. I have an open support ticket regarding that.
security-config-omsagent.conf
:rawmsg, regex, "CEF\|ASA" ~
local4.debug @@127.0.0.1:25226security_events.conf
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>