| Insert excerpt |
|---|
| ESLP:Permissions for Log Relay and Remote Log Collection (snippet) |
|---|
| ESLP:Permissions for Log Relay and Remote Log Collection (snippet) |
|---|
| nopanel | true |
|---|
|
You can use this document to send Cisco Adaptive Secure Appliance (ASA) logs to Armor's Security Information & Event Management (SIEM). This document only applies to: - Cisco Adaptive Secure Appliance (ASA) 8.X
- Cisco Adaptive Secure Appliance (ASA) 9.X
Pre-Deployment Considerations
To create a remote Log Relay, you must already have: - A Log Relay server on your account
- Configured the system clock
Update your Cisco ASA device
- Log into your Cisco ASA device.
Access the privileged EXEC mode: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname> enable |
Access the global configuration mode: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname# configure terminal |
Enable logging: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname(config)# logging enable |
Configure the global logging settings: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname(config)# logging timestamp
hostname(config)# logging trap warning
hostname(config)# logging asdm warning
hostname(config)# logging device-id hostname |
Configure logs to be sent to a designated Armor Log Relay device: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname(config)# logging host <interface> <ipaddress> <protocol/port> |
| Note |
|---|
- In <interface>, enter the name of the Cisco Adaptive Security Appliance (ASA) interface.
- In <ipaddress>, enter the IP address of the corresponding Armor Log Relay device.
- To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
- In <protocol/port>:
- For UDP, enter udp/10041.
- Armor recommends that you use UDP.
- For TCP, enter tcp/10041.
If you use TCP, then the ASA can determine the availability of the status of the syslog server. If the ASA cannot establish a connection to the syslog server to log activity, then by default, the ASA will not allow new connections for transit traffic. Use the following command to allow transit traffic, | Code Block |
|---|
| hostname(config)# logging permit-hostdown |
|
To ensure that the log messages use the IP address and not the object names, disable the output object name option: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname(config)# no names
|
Exit the configuration: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname(config)# exit |
Save the changes: | Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname# write memory |
Review the logging configuration:
| Code Block |
|---|
| language | bash |
|---|
| theme | Midnight |
|---|
| hostname# show run all logging
logging enable
logging timestamp
logging hide username
logging buffer-size 4096
logging asdm-buffer-size 100
logging buffered warnings
logging trap warnings
logging asdm warnings
logging device-id hostname
logging host inside 100.64.0.10 17/5140
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024 |
| Note |
|---|
If present, logging standby enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server. |
| Info |
|---|
TroubleshootingVerify that logs are formatted correctly, similar to the following example: | Code Block |
|---|
| language | text |
|---|
| theme | Midnight |
|---|
| May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down |
|
Was this helpful?
|