Has anyone successfully got a Cisco ASA data connector working?

%3CLINGO-SUB%20id%3D%22lingo-sub-1330593%22%20slang%3D%22en-US%22%3EHas%20anyone%20successfully%20got%20a%20Cisco%20ASA%20data%20connector%20working%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1330593%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20Cisco%20ASA%20successfully%20sending%20the%20logs%20to%20rsyslog%20via%20UDP%20514%20on%20an%20Ubuntu%2018.04%20server.%20The%20logs%20are%20successfully%20processed%20by%20the%20OMSAgent%20and%20sent%20to%20sentinal%20as%20syslogs%20and%20are%20not%20parsed%20as%20Cisco%20ASA%20logs.%20The%20Cisco%20ASA%20connector%20shows%20as%20unconnected.%20The%20syslog%20connector%20shows%20as%20connected.%20The%20test%20script%20successfully%20forwards%20the%20mock%20CEF%20packets%20to%20Sentinel.%20Yet%20none%20of%20my%20ASA%20logs%20are%20seen%20as%20%22ASA%22%3C%2FP%3E%3CP%3Eomsagent.log%3C%2FP%3E%3CP%3E2020-04-23%2010%3A42%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A42%3A54.311Z%3CBR%20%2F%3E2020-04-23%2010%3A43%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A43%3A54.312Z%3CBR%20%2F%3E2020-04-23%2010%3A44%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A44%3A54.312Z%3CBR%20%2F%3E2020-04-23%2010%3A45%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A45%3A54.313Z%3CBR%20%2F%3E2020-04-23%2010%3A46%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A46%3A54.313Z%3CBR%20%2F%3E2020-04-23%2010%3A47%3A07%20%2B1200%20%5Binfo%5D%3A%20OMS%20agent%20management%20service%20telemetry%20request%20success%3CBR%20%2F%3E2020-04-23%2010%3A47%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A47%3A54.314Z%3CBR%20%2F%3E2020-04-23%2010%3A48%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A48%3A54.314Z%3CBR%20%2F%3E2020-04-23%2010%3A49%3A03%20%2B1200%20%5Bwarn%5D%3A%20Exceeded%20max%20attempts%20to%20fetch%20Azure%20Resource%20ID%2C%20killing%20the%20thread%3CBR%20%2F%3E2020-04-23%2010%3A49%3A54%20%2B1200%20%5Binfo%5D%3A%20Sending%20OMS%20Heartbeat%20succeeded%20at%202020-04-22T22%3A49%3A54.315Z%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esecurity-config-omsagent.conf%3C%2FP%3E%3CP%3E%23OMS_facility%20%3D%20local4%3CBR%20%2F%3Elocal4.debug%20%40127.0.0.1%3A25226%3C%2FP%3E%3CP%3E%23%3Arawmsg%2C%20regex%2C%20%22CEF%5C%7CASA%22%20~%3CBR%20%2F%3E%23*.*%20%40%40127.0.0.1%3A25226%3C%2FP%3E%3CP%3E(I've%20tried%20it%20also%20with%20the%20%23ed%20out%20config)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esecurity_events.conf%3C%2FP%3E%3CP%3E%3CSOURCE%3E%3CBR%20%2F%3Etype%20syslog%3CBR%20%2F%3Eport%2025226%3CBR%20%2F%3Ebind%20127.0.0.1%3CBR%20%2F%3Eprotocol_type%20tcp%3CBR%20%2F%3Etag%20oms.security%3CBR%20%2F%3Eformat%20%2F(%3F%3CTIME%3E(%3F%3A%5Cw%2B%20%2B)%7B2%2C3%7D(%3F%3A%5Cd%2B%3A)%7B2%7D%5Cd%2B%7C%5Cd%7B4%7D-%5Cd%7B2%7D-%5Cd%7B2%7DT%5Cd%7B2%7D%3A%5Cd%7B2%7D%3A%5Cd%7B2%7D.%5B%5Cw%5C-%5C%3A%5C%2B%5D%7B3%2C12%7D)%3A%3F%5Cs*(%3F%3A(%3F%3CHOST%3E%5B%5E%3A%20%5D%2B)%20%3F%3A%3F)%3F%5Cs*(%3F%3CIDENT%3E.*CEF.%2B%3F(%3F%3D0%5C%7C)%7C%25ASA%5B0-9%5C-%5D%7B8%2C10%7D)%5Cs*%3A%3F(%3F%3CMESSAGE%3E0%5C%7C.*%7C.*)%2F%3CBR%20%2F%3E%3CPARSE%3E%3CBR%20%2F%3Emessage_format%20auto%3CBR%20%2F%3E%3C%2FPARSE%3E%3CBR%20%2F%3E%3C%2FMESSAGE%3E%3C%2FIDENT%3E%3C%2FHOST%3E%3C%2FTIME%3E%3C%2FSOURCE%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CFILTER%20oms.security.%3D%22%22%3E%3CBR%20%2F%3Etype%20filter_syslog_security%3CBR%20%2F%3E%3C%2FFILTER%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestions%20would%20be%20most%20welcome.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1332688%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20successfully%20got%20a%20Cisco%20ASA%20data%20connector%20working%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1332688%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F631637%22%20target%3D%22_blank%22%3E%40AppropriateTangerine%3C%2FA%3E%26nbsp%3BI've%20got%20the%20connector%20working%2C%20but%20the%20logs%20are%20not%20parsed%20correctly%20so%20they%20are%20useless%20once%20in%20Sentinel.%20I%20have%20an%20open%20support%20ticket%20regarding%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esecurity-config-omsagent.conf%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-python%22%3E%3CCODE%3E%3Arawmsg%2C%20regex%2C%20%22CEF%5C%7CASA%22%20~%0Alocal4.debug%20%40%40127.0.0.1%3A25226%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3Bsecurity_events.conf%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-python%22%3E%3CCODE%3E%3CSOURCE%3E%0A%20%20type%20syslog%0A%20%20port%2025226%0A%20%20bind%20127.0.0.1%0A%20%20protocol_type%20tcp%0A%20%20tag%20oms.security%0A%20%20format%20%2F(%3F%3CTIME%3E(%3F%3A%5Cw%2B%20%2B)%7B2%2C3%7D(%3F%3A%5Cd%2B%3A)%7B2%7D%5Cd%2B%7C%5Cd%7B4%7D-%5Cd%7B2%7D-%5Cd%7B2%7DT%5Cd%7B2%7D%3A%5Cd%7B2%7D%3A%5Cd%7B2%7D.%5B%5Cw%5C-%5C%3A%5C%2B%5D%7B3%2C12%7D)%3A%3F%5Cs*(%3F%3A(%3F%3CHOST%3E%5B%5E%3A%20%5D%2B)%20%3F%3A%3F)%3F%5Cs*(%3F%3CIDENT%3E.*CEF.%2B%3F(%3F%3D0%5C%7C)%7C%25ASA%5B0-9%5C-%5D%7B8%2C10%7D)%5Cs*%3A%3F(%3F%3CMESSAGE%3E0%5C%7C.*%7C.*)%2F%0A%20%20%3CPARSE%3E%0A%20%20%20%20%20message_format%20auto%0A%20%20%3C%2FPARSE%3E%0A%3C%2FMESSAGE%3E%3C%2FIDENT%3E%3C%2FHOST%3E%3C%2FTIME%3E%3C%2FSOURCE%3E%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1338693%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20successfully%20got%20a%20Cisco%20ASA%20data%20connector%20working%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1338693%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F631637%22%20target%3D%22_blank%22%3E%40AppropriateTangerine%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESee%20my%20reply%20to%20a%20post%20about%20the%20Cisco%20ASA%20workbook%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcisco-asa-integration%2Fm-p%2F1295542%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fcisco-asa-integration%2Fm-p%2F1295542%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20probably%20write%20a%20detailed%20article%20on%20this%20subject%20and%20post%20it%20here%2C%20the%20only%20challenge%20is%20that%20I%20don't%20have%20access%20%22real%22%20Cisco%20ASA%2C%20just%20a%20small%20one%20in%20our%20lab.%20As%20I%20mentioned%20in%20the%20other%20post%2C%20the%20ASA%20logs%20are%20not%20easy%20to%20deal%20with%20and%20the%20log%20format%20is%20very%20inconsistent%20hence%20the%20limitations%20on%20the%20Sentinel%20parser%20(so%20your%20connector%20is%20probably%20configured%20properly%20but%20there%20is%20only%20that%20much%20that%20it%20can%20do).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdrian%20Grigorof%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.managedsentinel.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ewww.managedsentinel.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538031%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20successfully%20got%20a%20Cisco%20ASA%20data%20connector%20working%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538031%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20further%20updates%20on%20the%20same%2C%20even%20am%20facing%20the%20same%20problem.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538271%22%20slang%3D%22en-US%22%3ERe%3A%20Has%20anyone%20successfully%20got%20a%20Cisco%20ASA%20data%20connector%20working%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538271%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F631637%22%20target%3D%22_blank%22%3E%40AppropriateTangerine%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20it%20working%2C%20but%20Sentinel%20parser%20parses%20only%20main%20ASA%20messages%2C%20specifically%20Connection%20logs.%20There%20is%20also%20glitch%20in%20parsing%20connection%20logs%2C%20where%20UserID%20isn't%20extracted%20by%20the%20parser.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20disable%20logging%20timestamp%20at%20the%20ASA.%20And%20you%20should%20find%20the%20logs%20mapped%20to%20the%20CEF%20table%2C%20if%20you%20don't%20find%20the%20logs%20there%20but%20you%20find%20them%20in%20Syslog%20table%2C%20there%20must%20be%20an%20issue%20in%20the%20local%20log%20forwarding%20from%20syslog%20daemon%20to%20the%20correct%20Fluentd%20plugin%20within%20the%20OMSAgent%2C%20needs%20more%20focused%20troubleshooting.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have a Cisco ASA successfully sending the logs to rsyslog via UDP 514 on an Ubuntu 18.04 server. The logs are successfully processed by the OMSAgent and sent to sentinal as syslogs and are not parsed as Cisco ASA logs. The Cisco ASA connector shows as unconnected. The syslog connector shows as connected. The test script successfully forwards the mock CEF packets to Sentinel. Yet none of my ASA logs are seen as "ASA"

omsagent.log

2020-04-23 10:42:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:42:54.311Z
2020-04-23 10:43:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:43:54.312Z
2020-04-23 10:44:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:44:54.312Z
2020-04-23 10:45:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:45:54.313Z
2020-04-23 10:46:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:46:54.313Z
2020-04-23 10:47:07 +1200 [info]: OMS agent management service telemetry request success
2020-04-23 10:47:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:47:54.314Z
2020-04-23 10:48:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:48:54.314Z
2020-04-23 10:49:03 +1200 [warn]: Exceeded max attempts to fetch Azure Resource ID, killing the thread
2020-04-23 10:49:54 +1200 [info]: Sending OMS Heartbeat succeeded at 2020-04-22T22:49:54.315Z

 

security-config-omsagent.conf

#OMS_facility = local4
local4.debug @127.0.0.1:25226

#:rawmsg, regex, "CEF\|ASA" ~
#*.* @@127.0.0.1:25226

(I've tried it also with the #ed out config)

 

security_events.conf

<source>
type syslog
port 25226
bind 127.0.0.1
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
</source>


<filter oms.security.**>
type filter_syslog_security
</filter>

 

Any suggestions would be most welcome.

4 Replies

@AppropriateTangerine I've got the connector working, but the logs are not parsed correctly so they are useless once in Sentinel. I have an open support ticket regarding that.

 

security-config-omsagent.conf

:rawmsg, regex, "CEF\|ASA" ~
local4.debug @@127.0.0.1:25226

 security_events.conf

<source>
  type syslog
  port 25226
  bind 127.0.0.1
  protocol_type tcp
  tag oms.security
  format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
  <parse>
     message_format auto
  </parse>
</source>

@AppropriateTangerine 

 

See my reply to a post about the Cisco ASA workbook: https://techcommunity.microsoft.com/t5/azure-sentinel/cisco-asa-integration/m-p/1295542.

 

I will probably write a detailed article on this subject and post it here, the only challenge is that I don't have access "real" Cisco ASA, just a small one in our lab. As I mentioned in the other post, the ASA logs are not easy to deal with and the log format is very inconsistent hence the limitations on the Sentinel parser (so your connector is probably configured properly but there is only that much that it can do).

 

Adrian Grigorof

www.managedsentinel.com

@AdiGrio 

Any further updates on the same, even am facing the same problem.

@AppropriateTangerine 

 

I got it working, but Sentinel parser parses only main ASA messages, specifically Connection logs. There is also glitch in parsing connection logs, where UserID isn't extracted by the parser.

 

You need to disable logging timestamp at the ASA. And you should find the logs mapped to the CEF table, if you don't find the logs there but you find them in Syslog table, there must be an issue in the local log forwarding from syslog daemon to the correct Fluentd plugin within the OMSAgent, needs more focused troubleshooting.