Create a Remote Log Source - Cisco ASA
Topics Discussed
You can use this document to send Cisco Adaptive Secure Appliance (ASA) logs to Armor's Security Information & Event Management (SIEM).
This document only applies to:
Cisco Adaptive Secure Appliance (ASA) 8.X
Cisco Adaptive Secure Appliance (ASA) 9.X
Pre-Deployment Considerations
To create a remote Log Relay, you must already have:
A Log Relay server on your account
To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection
Configured the system clock
Update your Cisco ASA device
Log into your Cisco ASA device.
Access the privileged EXEC mode:
hostname> enable
Access the global configuration mode:
hostname# configure terminal
Enable logging:
hostname(config)# logging enable
Configure the global logging settings:
hostname(config)# logging timestamp hostname(config)# logging trap warning hostname(config)# logging asdm warning hostname(config)# logging device-id hostname
Configure logs to be sent to a designated Armor Log Relay device:
hostname(config)# logging host <interface> <ipaddress> <protocol/port>
To ensure that the log messages use the IP address and not the object names, disable the output object name option:
hostname(config)# no names
Exit the configuration:
hostname(config)# exit
Save the changes:
hostname# write memory
Review the logging configuration:
hostname# show run all logging logging enable logging timestamp logging hide username logging buffer-size 4096 logging asdm-buffer-size 100 logging buffered warnings logging trap warnings logging asdm warnings logging device-id hostname logging host inside 100.64.0.10 17/5140 logging flash-minimum-free 3076 logging flash-maximum-allocation 1024
Troubleshooting
Verify that logs are formatted correctly, similar to the following example: