Home

Cisco ASA log entries duplicated in CommonSecurityLog and Syslog

%3CLINGO-SUB%20id%3D%22lingo-sub-1013881%22%20slang%3D%22en-US%22%3ECisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013881%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20some%20Cisco%20ASA%20firewalls%20sending%20their%20logs%20to%20the%20Sentinel%20collector%20(running%20on%20rsyslog)%20and%20I%20can%20see%20that%20most%20of%20the%20log%20entries%20in%20the%20CommonSecurityLog%20are%20also%20recorded%20in%20the%20Syslog%20table.%20That%20basically%20doubles%20the%20storage%20used%20and%20for%2015%20GB%2FDay%20worth%20of%20ASA%20logs%20that's%20a%20substantial%20double-dipping.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20log%20extract%20from%20the%20CommonSecurityLog%20for%20session%20id%26nbsp%3B%20629326377%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157581i85BB9483A9C390AB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22CommonSecurityLog-2019-11-17%20111504.png%22%20title%3D%22CommonSecurityLog-2019-11-17%20111504.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20same%20session%20id%20(629326377)%20in%20the%20Syslog%20table%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157582iC71F92D874C17C9A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Syslog-2019-11-17%20111504.png%22%20title%3D%22Syslog-2019-11-17%20111504.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20was%20under%20the%20impression%20that%26nbsp%3B%20the%20ASA%20logs%20that%20are%20sent%20as%20CEF%20are%20not%20supposed%20to%20end%20up%20in%20the%20Syslog%20as%20well.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20ASA%20logging%20is%20configured%20exactly%20as%20indicated%20by%20the%20Sentinel%20connector%20for%20Cisco%20ASA.%20We%20need%20the%20logs%20that%20are%20missed%20by%20the%20CEF%20parser%20as%20they%20contain%20good%20information%20but%20we%20don't%20want%20them%20duplicated.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EAdrian%20Grigorof%3C%2FP%3E%3CP%3EManaged%20Sentinel%20Inc.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.managedsentinel.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.managedsentinel.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015762%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015762%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThey%20should%20not%20be%20sent%20to%20syslog.%26nbsp%3B%20Did%20you%20use%20the%20configuration%20script%20for%20configuring%20CEF%20collector%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015800%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply%20and%20yes%2C%20the%20instructions%20to%20configure%20the%20log%20collection%20for%20ASA%20were%20followed%20as%20I%20mentioned%20in%20my%20original%20post%20and%20we%20are%20getting%20the%20log%20entries%20parsed%20in%20CommonSecurityLog.%20Would%20we%20get%20them%20if%20the%20CEF%20collector%20was%20not%20configured%20properly%3F%20I%20have%20this%20happening%20in%20two%20Sentinel%20instances.%20One%20has%20a%20low%20volume%20of%20ASA%20logs%20so%20the%20effect%20was%20negligible%20but%20the%20other%20one%20cannot%20be%20ignored.%20The%20volume%20of%20data%20ingested%20per%20day%20for%20the%20two%20logs%20is%20almost%20the%20same%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157780i9BDD8E60C98D2AFD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EAdrian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1017623%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1017623%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyes%20its%20possible%20misconfiguration.%26nbsp%3B%20can%20you%20share%20what%20steps%20you%20followed%20and%20the%20config%20files%20you%20are%20using%3F%26nbsp%3B%20they%20should%20be%20generic%20configs.%3C%2FP%3E%3C%2FLINGO-BODY%3E
AdiGrio
Occasional Contributor

Hi,

I have some Cisco ASA firewalls sending their logs to the Sentinel collector (running on rsyslog) and I can see that most of the log entries in the CommonSecurityLog are also recorded in the Syslog table. That basically doubles the storage used and for 15 GB/Day worth of ASA logs that's a substantial double-dipping. 

 

Example:

 

The log extract from the CommonSecurityLog for session id  629326377:

 

CommonSecurityLog-2019-11-17 111504.png

 

The same session id (629326377) in the Syslog table:

 

Syslog-2019-11-17 111504.png

I was under the impression that  the ASA logs that are sent as CEF are not supposed to end up in the Syslog as well. 

 

The ASA logging is configured exactly as indicated by the Sentinel connector for Cisco ASA. We need the logs that are missed by the CEF parser as they contain good information but we don't want them duplicated. 

 

Any thoughts?

 

Regards,

Adrian Grigorof

Managed Sentinel Inc.

www.managedsentinel.com

3 Replies

@AdiGrio 

They should not be sent to syslog.  Did you use the configuration script for configuring CEF collector???

@Nicholas DiCola (SECURITY JEDI) 

 

Thanks for your reply and yes, the instructions to configure the log collection for ASA were followed as I mentioned in my original post and we are getting the log entries parsed in CommonSecurityLog. Would we get them if the CEF collector was not configured properly? I have this happening in two Sentinel instances. One has a low volume of ASA logs so the effect was negligible but the other one cannot be ignored. The volume of data ingested per day for the two logs is almost the same:

 

clipboard_image_0.png

 

Regards,

Adrian

@AdiGrio 

yes its possible misconfiguration.  can you share what steps you followed and the config files you are using?  they should be generic configs.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies