Apr 22 2020 03:54 PM
I have a Cisco ASA successfully sending the logs to rsyslog via UDP 514 on an Ubuntu 18.04 server. The logs are successfully processed by the OMSAgent and sent to sentinal as syslogs and are not parsed as Cisco ASA logs. The Cisco ASA connector shows as unconnected. The syslog connector shows as connected. The test script successfully forwards the mock CEF packets to Sentinel. Yet none of my ASA logs are seen as "ASA"
omsagent.log
2020-04-23 10:42:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:42:54.311Z
2020-04-23 10:43:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:43:54.312Z
2020-04-23 10:44:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:44:54.312Z
2020-04-23 10:45:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:45:54.313Z
2020-04-23 10:46:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:46:54.313Z
2020-04-23 10:47:07 +1200 [info]: OMS agent management service telemetry request success
2020-04-23 10:47:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:47:54.314Z
2020-04-23 10:48:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:48:54.314Z
2020-04-23 10:49:03 +1200 [warn]: Exceeded max attempts to fetch Azure Resource ID, killing the thread
2020-04-23 10:49:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:49:54.315Z
security-config-omsagent.conf
#OMS_facility = local4
local4.debug @127.0.0.1:25226
#:rawmsg, regex, "CEF\|ASA" ~
#*.* @@127.0.0.1:25226
(I've tried it also with the #ed out config)
security_events.conf
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
<filter oms.security.**>
type filter_syslog_security
</filter>
Any suggestions would be most welcome.
Apr 23 2020 08:55 AM
@AppropriateTangerine I've got the connector working, but the logs are not parsed correctly so they are useless once in Sentinel. I have an open support ticket regarding that.
security-config-omsagent.conf
:rawmsg, regex, "CEF\|ASA" ~
local4.debug @@127.0.0.1:25226
security_events.conf
<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>
Apr 26 2020 07:12 AM
See my reply to a post about the Cisco ASA workbook: https://techcommunity.microsoft.com/t5/azure-sentinel/cisco-asa-integration/m-p/1295542.
I will probably write a detailed article on this subject and post it here, the only challenge is that I don't have access "real" Cisco ASA, just a small one in our lab. As I mentioned in the other post, the ASA logs are not easy to deal with and the log format is very inconsistent hence the limitations on the Sentinel parser (so your connector is probably configured properly but there is only that much that it can do).
Adrian Grigorof
Jul 22 2020 03:28 AM
Any further updates on the same, even am facing the same problem.
Jul 22 2020 06:15 AM - edited Jul 22 2020 06:18 AM
I got it working, but Sentinel parser parses only main ASA messages, specifically Connection logs. There is also glitch in parsing connection logs, where UserID isn't extracted by the parser.
You need to disable logging timestamp at the ASA. And you should find the logs mapped to the CEF table, if you don't find the logs there but you find them in Syslog table, there must be an issue in the local log forwarding from syslog daemon to the correct Fluentd plugin within the OMSAgent, needs more focused troubleshooting.