cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Has anyone successfully got a Cisco ASA data connector working?

AppropriateTangerine
Copper Contributor

‎Apr 22 2020 03:54 PM

‎Apr 22 2020 03:54 PM

Has anyone successfully got a Cisco ASA data connector working?

I have a Cisco ASA successfully sending the logs to rsyslog via UDP 514 on an Ubuntu 18.04 server. The logs are successfully processed by the OMSAgent and sent to sentinal as syslogs and are not parsed as Cisco ASA logs. The Cisco ASA connector shows as unconnected. The syslog connector shows as connected. The test script successfully forwards the mock CEF packets to Sentinel. Yet none of my ASA logs are seen as "ASA"

omsagent.log

2020-04-23 10:42:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:42:54.311Z
2020-04-23 10:43:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:43:54.312Z
2020-04-23 10:44:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:44:54.312Z
2020-04-23 10:45:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:45:54.313Z
2020-04-23 10:46:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:46:54.313Z
2020-04-23 10:47:07 +1200 [info]: OMS agent management service telemetry request success
2020-04-23 10:47:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:47:54.314Z
2020-04-23 10:48:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:48:54.314Z
2020-04-23 10:49:03 +1200 [warn]: Exceeded max attempts to fetch Azure Resource ID, killing the thread
2020-04-23 10:49:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:49:54.315Z

 

security-config-omsagent.conf

#OMS_facility = local4
local4.debug @127.0.0.1:25226

#:rawmsg, regex, "CEF\|ASA" ~
#*.* @@127.0.0.1:25226

(I've tried it also with the #ed out config)

 

security_events.conf

<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>


<filter oms.security.**>
type filter_syslog_security
</filter>

 

Any suggestions would be most welcome.

5,364 Views
0 Likes
4 Replies
Reply
4 Replies
wadstromdev

‎Apr 23 2020 08:55 AM

‎Apr 23 2020 08:55 AM

Re: Has anyone successfully got a Cisco ASA data connector working?

@AppropriateTangerine I've got the connector working, but the logs are not parsed correctly so they are useless once in Sentinel. I have an open support ticket regarding that.

 

security-config-omsagent.conf

:rawmsg, regex, "CEF\|ASA" ~
local4.debug @@127.0.0.1:25226

 security_events.conf

<source>
  type syslog
  port 25226
  bind 127.0.0.1
  protocol_type tcp
  tag oms.security
  format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
  <parse>
     message_format auto
  </parse>
</source>
0 Likes
Reply
AdiGrio

‎Apr 26 2020 07:12 AM

‎Apr 26 2020 07:12 AM

Re: Has anyone successfully got a Cisco ASA data connector working?

@AppropriateTangerine 

 

See my reply to a post about the Cisco ASA workbook: https://techcommunity.microsoft.com/t5/azure-sentinel/cisco-asa-integration/m-p/1295542.

 

I will probably write a detailed article on this subject and post it here, the only challenge is that I don't have access "real" Cisco ASA, just a small one in our lab. As I mentioned in the other post, the ASA logs are not easy to deal with and the log format is very inconsistent hence the limitations on the Sentinel parser (so your connector is probably configured properly but there is only that much that it can do).

 

Adrian Grigorof

www.managedsentinel.com

0 Likes
Reply
saikrishnan280

‎Jul 22 2020 03:28 AM

‎Jul 22 2020 03:28 AM

Re: Has anyone successfully got a Cisco ASA data connector working?

@AdiGrio 

Any further updates on the same, even am facing the same problem.

0 Likes
Reply
majo01

‎Jul 22 2020 06:15 AM - edited ‎Jul 22 2020 06:18 AM

‎Jul 22 2020 06:15 AM - edited ‎Jul 22 2020 06:18 AM

Re: Has anyone successfully got a Cisco ASA data connector working?

@AppropriateTangerine 

 

I got it working, but Sentinel parser parses only main ASA messages, specifically Connection logs. There is also glitch in parsing connection logs, where UserID isn't extracted by the parser.

 

You need to disable logging timestamp at the ASA. And you should find the logs mapped to the CEF table, if you don't find the logs there but you find them in Syslog table, there must be an issue in the local log forwarding from syslog daemon to the correct Fluentd plugin within the OMSAgent, needs more focused troubleshooting.

 

0 Likes
Reply