Skip to main content
Skip table of contents

Create a Remote Log Source - Cisco ASA

Topics Discussed

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

You can use this document to send Cisco Adaptive Secure Appliance (ASA) logs to Armor's Security Information & Event Management (SIEM).

This document only applies to:

  • Cisco Adaptive Secure Appliance (ASA) 8.X

  • Cisco Adaptive Secure Appliance (ASA) 9.X


Pre-Deployment Considerations

To create a remote Log Relay, you must already have:


Update your Cisco ASA device

  1. Log into your Cisco ASA device.

  2. Access the privileged EXEC mode:

    BASH 
    hostname> enable

  3. Access the global configuration mode:

    BASH 
    hostname# configure terminal

  4. Enable logging:

    BASH 
    hostname(config)# logging enable

  5. Configure the global logging settings:

    BASH 
    hostname(config)# logging timestamp
hostname(config)# logging trap warning
hostname(config)# logging asdm warning
hostname(config)# logging device-id hostname

  6. Configure logs to be sent to a designated Armor Log Relay device:

    BASH 
    hostname(config)# logging host <interface> <ipaddress> <protocol/port>
    • In <interface>, enter the name of the Cisco Adaptive Security Appliance (ASA) interface.
    • In <ipaddress>, enter the IP address of the corresponding Armor Log Relay device.
      • To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
    • In <protocol/port>:
      • For UDP, enter udp/10041.
        • Armor recommends that you use UDP.
      • For TCP, enter tcp/10041.

        • If you use TCP, then the ASA can determine the availability of the status of the syslog server. If the ASA cannot establish a connection to the syslog server to log activity, then by default, the ASA will not allow new connections for transit traffic. Use the following command to allow transit traffic,

          CODE 
          hostname(config)# logging permit-hostdown

  7. To ensure that the log messages use the IP address and not the object names, disable the output object name option:

    BASH 
    hostname(config)# no names

  8. Exit the configuration:

    BASH 
    hostname(config)# exit

  9. Save the changes:

    BASH 
    hostname# write memory

  10. Review the logging configuration:

    BASH 
    hostname# show run all logging
logging enable
logging timestamp
logging hide username
logging buffer-size 4096
logging asdm-buffer-size 100
logging buffered warnings
logging trap warnings
logging asdm warnings
logging device-id hostname
logging host inside 100.64.0.10 17/5140
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024

    If present, logging standby enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.

Troubleshooting

Verify that logs are formatted correctly, similar to the following example:

TEXT 
May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close