Feb 23 2020 06:41 AM
Feb 23 2020 06:41 AM
I'm fairly new to MCAS. Am attempting to get an onPrem log collector (docker) to transmit ASA logs to the log collector in MCAS. However, something is not working.
This docker instance is running within a hyper-v 2016 guest (Guest: Windows Server 2019).
The source is an ASA 5508 sending syslog (level 6) to the docker instance on TCP 20000. Host firewall inbound rule allows TCP 20000 from the ASA.
Within Azure MCAS, it shows the log collector is "Connected" - Warning: No data was received since log collection deployment. Make sure you complete on-premises configuration of your network appliances.
From a review of a NetMon network trace, run from the host, we are receiving traffic from the ASA on TCP 20000. Netstat does show the server is listening on TCP 20000. Below is docker run command.
Have opened a case with MS, but they claim to be new as MCAS and docker.
Any ideas why I'm not getting data?
-i microsoft/caslogcollector starter
Feb 26 2020 05:33 AM
Do you see a lot of lsof processes running taking up a lot of CPU time? I had to bypass the lsof process in the container (remove lsof, link /bin/true to lsof) to get it to work. I understand that's fixed in the current version though. If you do see high CPU usage by lsof let me know and I'll provide detailed instructions.
Mar 01 2020 06:18 AM
May 22 2020 10:25 AM
@Danny Kadyshevitch Was this resolved? I am having the same problem. My log collector is receiving ftp log files from my Palo Alto NGFW but not sending them to MCAS.
May 22 2020 02:51 PM
Here is the configuration I used to get around this mess. 1025 corresponds to the internal docker port, and 601/tcp is the host's ports.
-p 1025:601/tcp <----
May 27 2020 09:20 AM
@Shawn May Thanks Shawn, I changed from FTP to SYSLOG and this worked.
I have another problem now. There is no data showing in the continuous report for this log collector. Is there something else I need to do? I am using a traffic syslog from a Palo Alto firewall. Tried the URL log also but same result.