How does CEF know where to look on Syslog server for logs. Documentation unclear.

Copper Contributor

Hi,

 

I'm trying to get ASA data in to Sentinel and can't figure out how the Syslog agent is supposed to know where to look for our ASA logs. The documentation labels these 4 steps; Select or create a Linux machine/ Install the CEF collector on the Linux machine(done), Forward Cisco ASA logs to Syslog agent(done), Validate connection(done), Secure Machine(done). 

 

And simply just says to search CommonSecurityLog after this which returns 0 results. But how is the agent supposed to know where we stored the ASA logs. I've completed all steps, so I don't know where to turn to. I appreciate any time or help on this issue.

 

thank you!

4 Replies

The VM you configured basically just acts as a relay for sending events from your ASA into Sentinel.

 

From my understanding on how this works on the Syslog server. Once you enable the connectors, it enables regex parameters on the collector to parse the data.

 

When you run the validation script you should see syslog message being logged while it runs. If you don't see this than there is an issue somewhere with your configuration.

 

@Christian_Lozach 

 

You need to configure your ASA firewalls to send the syslog data to the Sentinel syslog collector. Ensure that the Sentinel syslog collector has the CEF log collection configured properly (run the test script from the CEF data connector page and make sure there are no errors). By default, the Sentinel collector will only get the logs sent to facility local4. Verify if your ASAs are using local4 as facility (by default they do). 

 

For additional details, check the Cisco ASA instructions here: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3...

 

Adrian Grigorof

www.managedsentinel.com

@AdiGrio Any ideas on what I can check to see why my FTD platform logs are not showing up in the CommonSecurityLog in Sentinel but my FMC connection events are? I do see my FTD logs on my e-streamer server in /var/log/syslogs but they don't show in Sentinel. I am assuming the reason is b/c they are not in CEF format? I referenced the link you provided and couldn't find any reason for not seeing the FTD logs. Thanks.