{"type":"doc","content":[{"type":"paragraph"},{"type":"heading","attrs":{"level":4},"content":[{"text":"Topics Discussed","type":"text"}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"maxLevel":{"value":"3"},"minLevel":{"value":"3"}},"macroMetadata":{"macroId":{"value":"24cc2a57-9a9b-4b73-87ed-f716f7662a37"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"97e1948e-2b9d-4646-9f11-f84905161d3b"}},{"type":"paragraph"},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"excerpt-include","parameters":{"macroParams":{"":{"value":"Obtain Log Relay for Remote Log Collection"},"name":{"value":"Remote Log Collection Permissions"},"nopanel":{"value":"true"}},"macroMetadata":{"macroId":{"value":"ea9ddd88-b1ee-47f6-8148-1058659a8c72"},"schemaVersion":{"value":"1"},"title":"Insert excerpt"}},"localId":"0e023b74-6625-4f44-818c-ac56ea93efa2"}}]},{"type":"paragraph","content":[{"text":"You can use this document to send ","type":"text"},{"text":"Cisco Adaptive Secure Appliance (ASA) logs to Armor's Security Information & Event Management (SIEM).","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]}]},{"type":"paragraph","content":[{"text":"This document only applies to:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Cisco Adaptive Secure Appliance (ASA) 8.X","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Cisco Adaptive Secure Appliance (ASA) 9.X","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"hardBreak"},{"text":"Pre-Deployment Considerations","type":"text"}]},{"type":"rule"},{"type":"paragraph","content":[{"text":"To create a remote Log Relay, you must already have:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A Log Relay server on your account","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To learn how to add Log Relay to your account, see ","type":"text"},{"text":"Obtain Log Relay for Remote Log Collection","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/KB/pages/3519581253"}}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configured the system clock","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"type":"hardBreak"},{"text":"Update your Cisco ","type":"text"},{"text":"ASA ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]},{"text":"device","type":"text"}]},{"type":"rule"},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Log into your Cisco ASA device.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Access the privileged EXEC mode:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname> enable","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Access the global configuration mode:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname# configure terminal","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Enable logging:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# logging enable","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the global logging settings:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# logging timestamp\nhostname(config)# logging trap warning\nhostname(config)# logging asdm warning\nhostname(config)# logging device-id hostname","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure logs to be sent to a designated Armor Log Relay device:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# logging host ","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"

In <interface>, enter the name of the Cisco Adaptive Security Appliance (ASA) interface.
In <ipaddress>, enter the IP address of the corresponding Armor Log Relay device.
- To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
In <protocol/port>:
- For UDP, enter udp/10041.
  - Armor recommends that you use UDP.
- For TCP, enter tcp/10041.
  - If you use TCP, then the ASA can determine the availability of the status of the syslog server. If the ASA cannot establish a connection to the syslog server to log activity, then by default, the ASA will not allow new connections for transit traffic. Use the following command to allow transit traffic,
    Midnight

","block-inline":true,"nestedContent":{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"","type":"text","marks":[{"type":"strong"}]},{"text":", enter the name of the Cisco Adaptive Security Appliance (ASA) interface.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"","type":"text","marks":[{"type":"strong"}]},{"text":", enter the IP address of the corresponding ","type":"text"},{"text":"Armor Log Relay device","type":"text"},{"text":".","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To locate your IP address in AMP, in the left-side navigation, click ","type":"text"},{"text":"Infrastructure","type":"text","marks":[{"type":"strong"}]},{"text":", click ","type":"text"},{"text":"Virtual Machines","type":"text","marks":[{"type":"strong"}]},{"text":", and then review the","type":"text"},{"text":" Primary IP ","type":"text","marks":[{"type":"strong"}]},{"text":"column for the corresponding virtual machine.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In ","type":"text"},{"text":"","type":"text","marks":[{"type":"strong"}]},{"text":":","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For UDP, enter ","type":"text"},{"text":"udp/10041","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Armor recommends that you use UDP.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"For TCP, enter ","type":"text"},{"text":"tcp/10041","type":"text","marks":[{"type":"strong"}]},{"text":".","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If you use TCP, then the ASA can determine the availability of the status of the syslog server. If the ASA cannot establish a connection to the syslog server to log activity, then by default, the ASA will not allow new connections for transit traffic. Use the following command to allow transit traffic,","type":"text"}]},{"type":"codeBlock","content":[{"text":"hostname(config)# logging permit-hostdown","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}]}]}]}]}]}]}]}],"version":1},"reason":"A note macro in a list item can't be created or edited in the new editor."}}}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"To ensure that the log messages use the IP address and not the object names, disable the output object name option:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# no names\n","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Exit the configuration:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname(config)# exit","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Save the changes:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname# write memory","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Review the logging configuration:","type":"text"},{"type":"hardBreak"}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"hostname# show run all logging\nlogging enable\nlogging timestamp\nlogging hide username\nlogging buffer-size 4096\nlogging asdm-buffer-size 100\nlogging buffered warnings\nlogging trap warnings\nlogging asdm warnings\nlogging device-id hostname\nlogging host inside 100.64.0.10 17/5140\nlogging flash-minimum-free 3076\nlogging flash-maximum-allocation 1024","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"

If present, logging standby enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.

","block-inline":true,"nestedContent":{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"If present, ","type":"text"},{"text":"logging standby","type":"text","marks":[{"type":"strong"}]},{"text":" enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.","type":"text"}]}]}],"version":1},"reason":"A note macro in a list item can't be created or edited in the new editor."}}}]}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"heading","attrs":{"level":4},"content":[{"text":"Troubleshooting","type":"text"}]},{"type":"paragraph","content":[{"text":"Verify that logs are formatted correctly, similar to the following example:","type":"text"}]},{"type":"paragraph","content":[{"type":"inlineExtension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"__confluenceADFMigrationUnsupportedContentInternalExtension__","text":"","parameters":{"cxhtml":"textMidnight

","block-inline":true,"nestedContent":{"type":"doc","content":[{"type":"codeBlock","attrs":{"language":"plaintext"},"content":[{"text":"May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down","type":"text"}]}],"version":1}}}}]},{"type":"paragraph","content":[{"type":"hardBreak"}]}]}],"version":1}

Browser not supported