cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCAS - Log Collector - Configuration Not Sending to MCAS

Shawn May
Copper Contributor

‎Feb 23 2020 06:41 AM

‎Feb 23 2020 06:41 AM

MCAS - Log Collector - Configuration Not Sending to MCAS

I'm fairly new to MCAS.  Am attempting to get an onPrem log collector (docker) to transmit ASA logs to the log collector in MCAS. However, something is not working.

 

This docker instance is running within a hyper-v 2016 guest (Guest: Windows Server 2019). 

 

The source is an ASA 5508 sending syslog (level 6) to the docker instance on TCP 20000.  Host firewall inbound rule allows TCP 20000 from the ASA.

 

Within Azure MCAS, it shows the log collector is "Connected" - Warning: No data was received since log collection deployment.  Make sure you complete on-premises configuration of your network appliances.

 

From a review of a NetMon network trace, run from the host, we are receiving traffic from the ASA on TCP 20000.  Netstat does show the server is listening on TCP 20000.  Below is docker run command.

 

Have opened a case with MS, but they claim to be new as MCAS and docker.

 

Any ideas why I'm not getting data?

 

docker run
--name ASALogCollector
-p 20000:20000/tcp
-p 21:21
-p 20001-20099:20001-20099

-e "PUBLICIP='internalhost.acme.com'"
-e "PROXY="
-e "SYSLOG=true"
-e "CONSOLE=xxxxx.us3.portal.cloudappsecurity.com"
-e "COLLECTOR=ASALogCollector"

--security-opt apparmor:unconfined
--cap-add=SYS_ADMIN
--restart unless-stopped
-a stdin
-i microsoft/caslogcollector starter

3,269 Views
0 Likes
5 Replies
Reply
5 Replies
Steven Shockley

‎Feb 26 2020 05:33 AM

‎Feb 26 2020 05:33 AM

Re: MCAS - Log Collector - Configuration Not Sending to MCAS

@Shawn May 

 

Do you see a lot of lsof processes running taking up a lot of CPU time?  I had to bypass the lsof process in the container (remove lsof, link /bin/true to lsof) to get it to work.  I understand that's fixed in the current version though.  If you do see high CPU usage by lsof let me know and I'll provide detailed instructions.

0 Likes
Reply
Danny Kadyshevitch

‎Mar 01 2020 06:18 AM

‎Mar 01 2020 06:18 AM

Re: MCAS - Log Collector - Configuration Not Sending to MCAS

Hi Shawn,

Can you please PM me with your case Id, so that I can make sure it is being handled by our support experts?

Thanks,
Danny.
0 Likes
Reply
tgreed99

‎May 22 2020 10:25 AM

‎May 22 2020 10:25 AM

Re: MCAS - Log Collector - Configuration Not Sending to MCAS

@Danny Kadyshevitch Was this resolved? I am having the same problem. My log collector is receiving ftp log files from my Palo Alto NGFW but not sending them to MCAS.

0 Likes
Reply
Shawn May

‎May 22 2020 02:51 PM

‎May 22 2020 02:51 PM

Re: MCAS - Log Collector - Configuration Not Sending to MCAS

@tgreed99 

 

Here is the configuration I used to get around this mess.  1025 corresponds to the internal docker port, and 601/tcp is the host's ports.

 

docker run
--name ACMEASALogCollector
-p 1025:601/tcp  <----
-p 21:21

-p 20000-20099:20000-20099Capture.PNG

0 Likes
Reply
tgreed99

‎May 27 2020 09:20 AM

‎May 27 2020 09:20 AM

Re: MCAS - Log Collector - Configuration Not Sending to MCAS

@Shawn May  Thanks Shawn, I changed from FTP to SYSLOG and this worked.

I have another problem now. There is no data showing in the continuous report for this log collector. Is there something else I need to do? I am using a traffic syslog from a Palo Alto firewall. Tried the URL log also but same result.

 

Thank you.

0 Likes
Reply