MCAS - Log Collector - Configuration Not Sending to MCAS

%3CLINGO-SUB%20id%3D%22lingo-sub-1189497%22%20slang%3D%22en-US%22%3EMCAS%20-%20Log%20Collector%20-%20Configuration%20Not%20Sending%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1189497%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20fairly%20new%20to%20MCAS.%26nbsp%3B%20Am%20attempting%20to%20get%20an%20onPrem%20log%20collector%20(docker)%20to%20transmit%20ASA%20logs%20to%20the%20log%20collector%20in%20MCAS.%20However%2C%20something%20is%20not%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20docker%20instance%20is%20running%20within%20a%20hyper-v%202016%20guest%20(Guest%3A%20Windows%20Server%202019).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20source%20is%20an%20ASA%205508%20sending%20syslog%20(level%206)%20to%20the%20docker%20instance%20on%20TCP%2020000.%26nbsp%3B%20Host%20firewall%20inbound%20rule%20allows%20TCP%2020000%20from%20the%20ASA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWithin%20Azure%20MCAS%2C%20it%20shows%20the%20log%20collector%20is%20%22Connected%22%20-%20Warning%3A%20No%20data%20was%20received%20since%20log%20collection%20deployment.%26nbsp%3B%20Make%20sure%20you%20complete%20on-premises%20configuration%20of%20your%20network%20appliances.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20a%20review%20of%20a%20NetMon%20network%20trace%2C%20run%20from%20the%20host%2C%20we%20are%20receiving%20traffic%20from%20the%20ASA%20on%20TCP%2020000.%26nbsp%3B%20Netstat%20does%20show%20the%20server%20is%20listening%20on%20TCP%2020000.%26nbsp%3B%20Below%20is%20docker%20run%20command.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20opened%20a%20case%20with%20MS%2C%20but%20they%20claim%20to%20be%20new%20as%20MCAS%20and%20docker.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20why%20I'm%20not%20getting%20data%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edocker%20run%3CBR%20%2F%3E--name%20ASALogCollector%3CBR%20%2F%3E-p%2020000%3A20000%2Ftcp%3CBR%20%2F%3E-p%2021%3A21%3CBR%20%2F%3E-p%2020001-20099%3A20001-20099%3C%2FP%3E%3CP%3E-e%20%22PUBLICIP%3D'internalhost.acme.com'%22%3CBR%20%2F%3E-e%20%22PROXY%3D%22%3CBR%20%2F%3E-e%20%22SYSLOG%3Dtrue%22%3CBR%20%2F%3E-e%20%22CONSOLE%3Dxxxxx.us3.portal.cloudappsecurity.com%22%3CBR%20%2F%3E-e%20%22COLLECTOR%3DASALogCollector%22%3C%2FP%3E%3CP%3E--security-opt%20apparmor%3Aunconfined%3CBR%20%2F%3E--cap-add%3DSYS_ADMIN%3CBR%20%2F%3E--restart%20unless-stopped%3CBR%20%2F%3E-a%20stdin%3CBR%20%2F%3E-i%20microsoft%2Fcaslogcollector%20starter%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1189497%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1195646%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Log%20Collector%20-%20Configuration%20Not%20Sending%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1195646%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F211475%22%20target%3D%22_blank%22%3E%40Shawn%20May%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20see%20a%20lot%20of%20lsof%20processes%20running%20taking%20up%20a%20lot%20of%20CPU%20time%3F%26nbsp%3B%20I%20had%20to%20bypass%20the%20lsof%20process%20in%20the%20container%20(remove%20lsof%2C%20link%20%2Fbin%2Ftrue%20to%20lsof)%20to%20get%20it%20to%20work.%26nbsp%3B%20I%20understand%20that's%20fixed%20in%20the%20current%20version%20though.%26nbsp%3B%20If%20you%20do%20see%20high%20CPU%20usage%20by%20lsof%20let%20me%20know%20and%20I'll%20provide%20detailed%20instructions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1203151%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Log%20Collector%20-%20Configuration%20Not%20Sending%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1203151%22%20slang%3D%22en-US%22%3EHi%20Shawn%2C%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20please%20PM%20me%20with%20your%20case%20Id%2C%20so%20that%20I%20can%20make%20sure%20it%20is%20being%20handled%20by%20our%20support%20experts%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EDanny.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1412199%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Log%20Collector%20-%20Configuration%20Not%20Sending%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1412199%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112613%22%20target%3D%22_blank%22%3E%40Danny%20Kadyshevitch%3C%2FA%3E%26nbsp%3BWas%20this%20resolved%3F%20I%20am%20having%20the%20same%20problem.%20My%20log%20collector%20is%20receiving%20ftp%20log%20files%20from%20my%20Palo%20Alto%20NGFW%20but%20not%20sending%20them%20to%20MCAS.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1412782%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Log%20Collector%20-%20Configuration%20Not%20Sending%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1412782%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F677203%22%20target%3D%22_blank%22%3E%40tgreed99%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20configuration%20I%20used%20to%20get%20around%20this%20mess.%26nbsp%3B%201025%20corresponds%20to%20the%20internal%20docker%20port%2C%20and%20601%2Ftcp%20is%20the%20host's%20ports.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edocker%20run%3CBR%20%2F%3E--name%20ACMEASALogCollector%3CBR%20%2F%3E-p%201025%3A601%2Ftcp%26nbsp%3B%20%26lt%3B----%3CBR%20%2F%3E-p%2021%3A21%3C%2FP%3E%3CP%3E-p%2020000-20099%3A20000-20099%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194012i8297AD6BF882940F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1421181%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20-%20Log%20Collector%20-%20Configuration%20Not%20Sending%20to%20MCAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1421181%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F211475%22%20target%3D%22_blank%22%3E%40Shawn%20May%3C%2FA%3E%26nbsp%3B%20Thanks%20Shawn%2C%20I%20changed%20from%20FTP%20to%20SYSLOG%20and%20this%20worked.%3C%2FP%3E%3CP%3EI%20have%20another%20problem%20now.%20There%20is%20no%20data%20showing%20in%20the%20continuous%20report%20for%20this%20log%20collector.%20Is%20there%20something%20else%20I%20need%20to%20do%3F%20I%20am%20using%20a%20traffic%20syslog%20from%20a%20Palo%20Alto%20firewall.%20Tried%20the%20URL%20log%20also%20but%20same%20result.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I'm fairly new to MCAS.  Am attempting to get an onPrem log collector (docker) to transmit ASA logs to the log collector in MCAS. However, something is not working.

 

This docker instance is running within a hyper-v 2016 guest (Guest: Windows Server 2019). 

 

The source is an ASA 5508 sending syslog (level 6) to the docker instance on TCP 20000.  Host firewall inbound rule allows TCP 20000 from the ASA.

 

Within Azure MCAS, it shows the log collector is "Connected" - Warning: No data was received since log collection deployment.  Make sure you complete on-premises configuration of your network appliances.

 

From a review of a NetMon network trace, run from the host, we are receiving traffic from the ASA on TCP 20000.  Netstat does show the server is listening on TCP 20000.  Below is docker run command.

 

Have opened a case with MS, but they claim to be new as MCAS and docker.

 

Any ideas why I'm not getting data?

 

docker run
--name ASALogCollector
-p 20000:20000/tcp
-p 21:21
-p 20001-20099:20001-20099

-e "PUBLICIP='internalhost.acme.com'"
-e "PROXY="
-e "SYSLOG=true"
-e "CONSOLE=xxxxx.us3.portal.cloudappsecurity.com"
-e "COLLECTOR=ASALogCollector"

--security-opt apparmor:unconfined
--cap-add=SYS_ADMIN
--restart unless-stopped
-a stdin
-i microsoft/caslogcollector starter

5 Replies
Highlighted

@Shawn May 

 

Do you see a lot of lsof processes running taking up a lot of CPU time?  I had to bypass the lsof process in the container (remove lsof, link /bin/true to lsof) to get it to work.  I understand that's fixed in the current version though.  If you do see high CPU usage by lsof let me know and I'll provide detailed instructions.

Highlighted
Hi Shawn,

Can you please PM me with your case Id, so that I can make sure it is being handled by our support experts?

Thanks,
Danny.
Highlighted

@Danny Kadyshevitch Was this resolved? I am having the same problem. My log collector is receiving ftp log files from my Palo Alto NGFW but not sending them to MCAS.

Highlighted

@tgreed99 

 

Here is the configuration I used to get around this mess.  1025 corresponds to the internal docker port, and 601/tcp is the host's ports.

 

docker run
--name ACMEASALogCollector
-p 1025:601/tcp  <----
-p 21:21

-p 20000-20099:20000-20099Capture.PNG

Highlighted

@Shawn May  Thanks Shawn, I changed from FTP to SYSLOG and this worked.

I have another problem now. There is no data showing in the continuous report for this log collector. Is there something else I need to do? I am using a traffic syslog from a Palo Alto firewall. Tried the URL log also but same result.

 

Thank you.