Cisco ASA integration

New Contributor



Have managed to get logs into Sentinel, and can see them in Analytics and in the events list and graph, but none of the other metric return anything other than 'the query returned no results'


Any ideas?



5 Replies

@saint_stevo One thing we noted on our setup was event IDs were missing.  

Did you have a solution?
Nope, we just did a quick ingestion of the ASA logs to see what they looked like. We filtered the logs based on VPN connnection messages so it worked for our purpose. To move forward in a production setup we would have needed to solve that event ID issue.


The Cisco ASA dashboard is indeed unusable but the main problem lies in the parsing of the Cisco ASA logs. Cisco managed to make these logs very complicated and difficult to process. For example, to get the full data on a simple TCP connection one needs to correlate two different types of log entries based on the session id and reshuffle the source IP/port and destination IP/port depending on the direction of the traffic. So, to actually get useful data from the raw Cisco ASA logs in the CommonSecurityLog first you need to build a parser to put the data in order and the build a workbook/dashboard for it. To make things more complicated, only some log entries are sent to the CommonSecurityLog (those related to allowed traffic). The rest are sent to the Syslog table where again, one needs to build a parser from scratch. Microsoft if doing actually a little bit of work in the background to convert some of the ASA log entries to CEF (as you probably know, the ASA don't know CEF).


For example, a correct parser would provide this type of data:




Once you have the good data, it is much easier to build a workbook for it:




I have just little bit of data as we only have a test Cisco ASA 5505 that is not actively used but if you have the data you can build any kind of visualization. What type of data you would want to see on an ASA dashboard?


Adrian Grigorof


Thanks for the reply! Not sure i would know where to start with regard the parser.....but your example screenshot is a lot more useful than 'The query returned no results' so maybe use Lockdown to learn!


I guess a number of 'red flag' type bits on a dashboard, Rule changes, failed SSH etc. And some trends of top denied/allowed based on IP/Protocol/Port would be a start