Table of Contents:
This article covers how to configure Cisco ASA to forward events.
Configuring Cisco ASA to forward events
To configure Cisco ASA to forward syslog events, some manual configuration is required.
Steps for CLI:
- Log in to the Cisco ASA device using Putty on port 22.
- Type the following command to access privileged EXEC mode:
enable
- Type the following command to access global configuration mode:
conf t
- Enable logging:
logging enable
- Configure the logging details:
logging console Informational
logging trap Informational
logging asdm Informational
set port 11522
- Type the following command to configure logs to Chronicle.
logging host <interface> <IP address>
Where:
<interface> is the name of the Cisco Adaptive Security Appliance interface.
<IP address> is the Forwarder IP address.
Note: Using the command shows interfaces displays all available interfaces for your Cisco device.
- Disable the output object name option to ensure that the logs use IP addresses, not object names.
no names
- Exit the configuration:
exit
- Save the changes:
write mem
- Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screenshot for reference.
Sample Logs
The following are the logs that Cisco ASA sends to the Chronicle.
<166>Jul 06 2023 06:17:59: %ASA-6-302014: Teardown TCP connection 9447720 for
outside:192.168.1.1/443 to inside:192.168.1.2/50103 duration 0:00:02 bytes 11363 TCP FINs
Comments
0 comments
Please sign in to leave a comment.