Jun 16 2020 03:59 AM
We are trying to collect "CEF" logs from Cisco IronPort using Azure Sentinel.
Syslog forwarder is configured on RHEL machine.
we do get data for "syslog".
However nothing under the "CommonSecurityLog" . We can see the following error messages :-
Could not locate "CEF" message in tcpdump
Fetching CEF messages from daemon files.
tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
Located 0
CEF\ASA messages
Validating the CEF\ASA logs are received and are in the correct format when received by syslog daemon
sudo tac /var/log/syslog
tac: failed to open ‘/var/log/syslog’ for reading: No such file or directory
Located 0
CEF\ASA messages
Error: no CEF messages received by the daemon.
sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
2020-06-16T10:01:10.065437Z INFO ExtHandler ExtHandler [HEARTBEAT] Agent WALinuxAgent-2.2.48.1 is running as the goal state agent
Could not locate "CEF" message in tcpdump
Simulating mock data which you can find in your workspace
This will take 60 seconds.
sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Could not locate "CEF" message in tcpdump
Completed troubleshooting.
sudo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
Jun 17 2020 11:40 PM
@Consultant1520 as far as I know IronPort does not support CEF, only Syslog, so this is to be expected. The list in Azure Sentinel: Syslog, CEF, Logstash and other 3rd party connectors grand list indicates if a source supports CEF of Syslog.
Jun 17 2020 11:55 PM
Thanks for the reply Ofer.
I am not that Linux expert. I have a bit confusion around this statement.
Jun 18 2020 12:13 AM
@Consultant1520 : Cisco IronPort and Cisco ASA are unrelated products and behave differently. My answer and I blieve your original question was about IronPort.
Jun 18 2020 12:16 AM
Thanks. I was under impression that IronPort is kind of cisco ASA.
We actually got the syslog for facility and auth.
Aug 16 2021 04:32 AM