Cisco ASA log entries duplicated in CommonSecurityLog and Syslog

%3CLINGO-SUB%20id%3D%22lingo-sub-1013881%22%20slang%3D%22en-US%22%3ECisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1013881%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20some%20Cisco%20ASA%20firewalls%20sending%20their%20logs%20to%20the%20Sentinel%20collector%20(running%20on%20rsyslog)%20and%20I%20can%20see%20that%20most%20of%20the%20log%20entries%20in%20the%20CommonSecurityLog%20are%20also%20recorded%20in%20the%20Syslog%20table.%20That%20basically%20doubles%20the%20storage%20used%20and%20for%2015%20GB%2FDay%20worth%20of%20ASA%20logs%20that's%20a%20substantial%20double-dipping.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20log%20extract%20from%20the%20CommonSecurityLog%20for%20session%20id%26nbsp%3B%20629326377%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157581i85BB9483A9C390AB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22CommonSecurityLog-2019-11-17%20111504.png%22%20title%3D%22CommonSecurityLog-2019-11-17%20111504.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20same%20session%20id%20(629326377)%20in%20the%20Syslog%20table%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157582iC71F92D874C17C9A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Syslog-2019-11-17%20111504.png%22%20title%3D%22Syslog-2019-11-17%20111504.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20was%20under%20the%20impression%20that%26nbsp%3B%20the%20ASA%20logs%20that%20are%20sent%20as%20CEF%20are%20not%20supposed%20to%20end%20up%20in%20the%20Syslog%20as%20well.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20ASA%20logging%20is%20configured%20exactly%20as%20indicated%20by%20the%20Sentinel%20connector%20for%20Cisco%20ASA.%20We%20need%20the%20logs%20that%20are%20missed%20by%20the%20CEF%20parser%20as%20they%20contain%20good%20information%20but%20we%20don't%20want%20them%20duplicated.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EAdrian%20Grigorof%3C%2FP%3E%3CP%3EManaged%20Sentinel%20Inc.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.managedsentinel.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ewww.managedsentinel.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015762%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015762%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThey%20should%20not%20be%20sent%20to%20syslog.%26nbsp%3B%20Did%20you%20use%20the%20configuration%20script%20for%20configuring%20CEF%20collector%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1015800%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1015800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20reply%20and%20yes%2C%20the%20instructions%20to%20configure%20the%20log%20collection%20for%20ASA%20were%20followed%20as%20I%20mentioned%20in%20my%20original%20post%20and%20we%20are%20getting%20the%20log%20entries%20parsed%20in%20CommonSecurityLog.%20Would%20we%20get%20them%20if%20the%20CEF%20collector%20was%20not%20configured%20properly%3F%20I%20have%20this%20happening%20in%20two%20Sentinel%20instances.%20One%20has%20a%20low%20volume%20of%20ASA%20logs%20so%20the%20effect%20was%20negligible%20but%20the%20other%20one%20cannot%20be%20ignored.%20The%20volume%20of%20data%20ingested%20per%20day%20for%20the%20two%20logs%20is%20almost%20the%20same%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157780i9BDD8E60C98D2AFD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EAdrian%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1017623%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1017623%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyes%20its%20possible%20misconfiguration.%26nbsp%3B%20can%20you%20share%20what%20steps%20you%20followed%20and%20the%20config%20files%20you%20are%20using%3F%26nbsp%3B%20they%20should%20be%20generic%20configs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1776931%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20ASA%20log%20entries%20duplicated%20in%20CommonSecurityLog%20and%20Syslog%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1776931%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20you%20find%20any%20solution%20on%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%3F%20i%20have%20the%20same%20issue%20with%20the%20default%20installation.%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20do%20you%20know%20if%20there%20is%20a%20way%20for%20syslog%20not%20written%20in%20%2Fvar%2Flog%2Fmessages%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

I have some Cisco ASA firewalls sending their logs to the Sentinel collector (running on rsyslog) and I can see that most of the log entries in the CommonSecurityLog are also recorded in the Syslog table. That basically doubles the storage used and for 15 GB/Day worth of ASA logs that's a substantial double-dipping. 

 

Example:

 

The log extract from the CommonSecurityLog for session id  629326377:

 

CommonSecurityLog-2019-11-17 111504.png

 

The same session id (629326377) in the Syslog table:

 

Syslog-2019-11-17 111504.png

I was under the impression that  the ASA logs that are sent as CEF are not supposed to end up in the Syslog as well. 

 

The ASA logging is configured exactly as indicated by the Sentinel connector for Cisco ASA. We need the logs that are missed by the CEF parser as they contain good information but we don't want them duplicated. 

 

Any thoughts?

 

Regards,

Adrian Grigorof

Managed Sentinel Inc.

www.managedsentinel.com

5 Replies

@AdiGrio 

They should not be sent to syslog.  Did you use the configuration script for configuring CEF collector???

@Nicholas DiCola (SECURITY JEDI) 

 

Thanks for your reply and yes, the instructions to configure the log collection for ASA were followed as I mentioned in my original post and we are getting the log entries parsed in CommonSecurityLog. Would we get them if the CEF collector was not configured properly? I have this happening in two Sentinel instances. One has a low volume of ASA logs so the effect was negligible but the other one cannot be ignored. The volume of data ingested per day for the two logs is almost the same:

 

clipboard_image_0.png

 

Regards,

Adrian

@AdiGrio 

yes its possible misconfiguration.  can you share what steps you followed and the config files you are using?  they should be generic configs.

Did you find any solution on this @AdiGrio? i have the same issue with the default installation. 

Also do you know if there is a way for syslog not written in /var/log/messages ?

I am facing the same issue with Fortinet logs.
I performed the recommended steps as per documentation.

Using the same machine to forward both plain Syslog and CEF messages

If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables:

On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this.

You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Azure Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'