Cisco IronPort .

%3CLINGO-SUB%20id%3D%22lingo-sub-1467295%22%20slang%3D%22en-US%22%3ECisco%20IronPort%20.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1467295%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20trying%20to%20collect%20%22CEF%22%20logs%20from%20Cisco%20IronPort%20using%20Azure%20Sentinel.%3CBR%20%2F%3E%3CBR%20%2F%3ESyslog%20forwarder%20is%20configured%20on%20RHEL%20machine.%3CBR%20%2F%3E%3CBR%20%2F%3Ewe%20do%20get%20data%20for%20%22syslog%22.%3CBR%20%2F%3E%3CBR%20%2F%3EHowever%20nothing%20under%20the%20%22CommonSecurityLog%22%20.%20We%20can%20see%20the%20following%20error%20messages%20%3A-%3CBR%20%2F%3E%3CSTRONG%3ECould%20not%20locate%20%22CEF%22%20message%20in%20tcpdump%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EFetching%20CEF%20messages%20from%20daemon%20files.%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3Etac%3A%20failed%20to%20open%20%E2%80%98%2Fvar%2Flog%2Fsyslog%E2%80%99%20for%20reading%3A%20No%20such%20file%20or%20directory%3CBR%20%2F%3ELocated%200%3CBR%20%2F%3ECEF%5CASA%20messages%3CBR%20%2F%3EValidating%20the%20CEF%5CASA%20logs%20are%20received%20and%20are%20in%20the%20correct%20format%20when%20received%20by%20syslog%20daemon%3CBR%20%2F%3Esudo%20tac%20%2Fvar%2Flog%2Fsyslog%3CBR%20%2F%3Etac%3A%20failed%20to%20open%20%E2%80%98%2Fvar%2Flog%2Fsyslog%E2%80%99%20for%20reading%3A%20No%20such%20file%20or%20directory%3CBR%20%2F%3ELocated%200%3CBR%20%2F%3ECEF%5CASA%20messages%3CBR%20%2F%3EError%3A%20no%20CEF%20messages%20received%20by%20the%20daemon.%3C%2FP%3E%3CP%3Esudo%20tcpdump%20-A%20-ni%20any%20port%2025226%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%2065535%20bytes%3CBR%20%2F%3E2020-06-16T10%3A01%3A10.065437Z%20INFO%20ExtHandler%20ExtHandler%20%5BHEARTBEAT%5D%20Agent%20WALinuxAgent-2.2.48.1%20is%20running%20as%20the%20goal%20state%20agent%3CBR%20%2F%3ECould%20not%20locate%20%22CEF%22%20message%20in%20tcpdump%3CBR%20%2F%3ESimulating%20mock%20data%20which%20you%20can%20find%20in%20your%20workspace%3CBR%20%2F%3EThis%20will%20take%2060%20seconds.%3CBR%20%2F%3Esudo%20tcpdump%20-A%20-ni%20any%20port%2025226%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%2065535%20bytes%3CBR%20%2F%3ECould%20not%20locate%20%22CEF%22%20message%20in%20tcpdump%3CBR%20%2F%3ECompleted%20troubleshooting.%3CBR%20%2F%3E%3CBR%20%2F%3Esudo%20tcpdump%20-A%20-ni%20any%20port%2025226%20-vv%3CBR%20%2F%3Etcpdump%3A%20listening%20on%20any%2C%20link-type%20LINUX_SLL%20(Linux%20cooked)%2C%20capture%20size%2065535%20bytes%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473168%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20IronPort%20.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473168%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252357%22%20target%3D%22_blank%22%3E%40Consultant1520%3C%2FA%3E%26nbsp%3Bas%20far%20as%20I%20know%20IronPort%20does%20not%20support%20CEF%2C%20only%20Syslog%2C%20so%20this%20is%20to%20be%20expected.%20The%20list%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fazure-sentinel-syslog-cef-logstash-and-other-3rd-party%2Fba-p%2F803891%22%20target%3D%22_self%22%3EAzure%20Sentinel%3A%20Syslog%2C%20CEF%2C%20Logstash%20and%20other%203rd%20party%20connectors%20grand%20list%3C%2FA%3E%26nbsp%3Bindicates%20if%20a%20source%20supports%20CEF%20of%20Syslog.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473187%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20IronPort%20.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473187%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EThanks%20for%20the%20reply%20Ofer.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20not%20that%20Linux%20expert.%26nbsp%3B%3C%2FSPAN%3E%20I%20have%20a%20bit%20confusion%20around%20this%20statement.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%20class%3D%22copy-paste-block%22%3E%3CSPAN%3E%3CFONT%20face%3D%22Segoe%20UI%22%3E%3CEM%3ECisco%20ASA%20doesn't%20support%20CEF%2C%20so%20the%20logs%20are%20sent%20as%20Syslog%20and%20the%20Azure%20Sentinel%20agent%20knows%20how%20to%20parse%20them%20as%20if%20they%20are%20CEF%20logs.%20Configure%20Cisco%20ASA%20to%20forward%20Syslog%20messages%20to%20your%20Azure%20workspace%20via%20the%20Syslog%20agent%3A%20%3C%2FEM%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-cisco%23step-2-forward-cisco-asa-logs-to-the-syslog-agent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%26nbsp%3Bhttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-cisco%23step-2-forward-cisco-asa-logs-to-the-syslog-agent%3C%2FA%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473226%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20IronPort%20.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473226%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252357%22%20target%3D%22_blank%22%3E%40Consultant1520%3C%2FA%3E%26nbsp%3B%3A%20Cisco%20IronPort%20and%20Cisco%20ASA%20are%20unrelated%20products%20and%20behave%20differently.%20My%20answer%20and%20I%20blieve%20your%20original%20question%20was%20about%20IronPort.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473231%22%20slang%3D%22en-US%22%3ERe%3A%20Cisco%20IronPort%20.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473231%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%20I%20was%20under%20impression%20that%20IronPort%20is%20kind%20of%20cisco%20ASA.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20actually%20got%20the%20syslog%20for%20facility%26nbsp%3B%20and%20auth.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We are trying to collect "CEF" logs from Cisco IronPort using Azure Sentinel.

Syslog forwarder is configured on RHEL machine.

we do get data for "syslog".

However nothing under the "CommonSecurityLog" . We can see the following error messages :-
Could not locate "CEF" message in tcpdump
Fetching CEF messages from daemon files.

tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
Located 0
CEF\ASA messages
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
Located 0
CEF\ASA messages
Error: no CEF messages received by the daemon.

sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2020-06-16T10:01:10.065437Z INFO ExtHandler ExtHandler [HEARTBEAT] Agent WALinuxAgent-2.2.48.1 is running as the goal state agent
Could not locate "CEF" message in tcpdump
Simulating mock data which you can find in your workspace
This will take 60 seconds.
sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Could not locate "CEF" message in tcpdump
Completed troubleshooting.

sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes



4 Replies

@Consultant1520 as far as I know IronPort does not support CEF, only Syslog, so this is to be expected. The list in Azure Sentinel: Syslog, CEF, Logstash and other 3rd party connectors grand list indicates if a source supports CEF of Syslog.

@Ofer_Shezaf 


Thanks for the reply Ofer.

I am not that Linux expert. 
I have a bit confusion around this statement. 

 

Cisco ASA doesn't support CEF, so the logs are sent as Syslog and the Azure Sentinel agent knows how to parse them as if they are CEF logs. Configure Cisco ASA to forward Syslog messages to your Azure workspace via the Syslog agent:  https://docs.microsoft.com/en-us/azure/sentinel/connect-cisco#step-2-forward-cisco-asa-logs-to-the-...

@Consultant1520 : Cisco IronPort and Cisco ASA are unrelated products and behave differently. My answer and I blieve your original question was about IronPort. 

@Ofer_Shezaf 

 

Thanks. I was under impression that IronPort is kind of cisco ASA. 

We actually got the syslog for facility  and auth.