Forum Discussion

Christian_Lozach's avatar
Christian_Lozach
Copper Contributor
Apr 08, 2020

How does CEF know where to look on Syslog server for logs. Documentation unclear.

Hi,   I'm trying to get ASA data in to Sentinel and can't figure out how the Syslog agent is supposed to know where to look for our ASA logs. The documentation labels these 4 steps; Select or creat...
data collection
Log Data
AdiGrio's avatar
AdiGrio
Brass Contributor
Apr 25, 2020

Christian_Lozach 

 

You need to configure your ASA firewalls to send the syslog data to the Sentinel syslog collector. Ensure that the Sentinel syslog collector has the CEF log collection configured properly (run the test script from the CEF data connector page and make sure there are no errors). By default, the Sentinel collector will only get the logs sent to facility local4. Verify if your ASAs are using local4 as facility (by default they do). 

 

For additional details, check the Cisco ASA instructions here: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3rd-party/ba-p/803891

 

Adrian Grigorof

http://www.managedsentinel.com

r-y-a-n's avatar
r-y-a-n
Copper Contributor
Oct 15, 2021

AdiGrio Any ideas on what I can check to see why my FTD platform logs are not showing up in the CommonSecurityLog in Sentinel but my FMC connection events are? I do see my FTD logs on my e-streamer server in /var/log/syslogs but they don't show in Sentinel. I am assuming the reason is b/c they are not in CEF format? I referenced the link you provided and couldn't find any reason for not seeing the FTD logs. Thanks.

Resources