Skip to main content
Skip table of contents

Create a Remote Log Source - Cisco ASA

Topics Discussed

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

You can use this document to send Cisco Adaptive Secure Appliance (ASA) logs to Armor's Security Information & Event Management (SIEM).

This document only applies to:

  • Cisco Adaptive Secure Appliance (ASA) 8.X

  • Cisco Adaptive Secure Appliance (ASA) 9.X

Pre-Deployment Considerations

To create a remote Log Relay, you must already have:

Update your Cisco ASA device

  1. Log into your Cisco ASA device.

  2. Access the privileged EXEC mode:

    hostname> enable
  3. Access the global configuration mode:

    hostname# configure terminal
  4. Enable logging:

    hostname(config)# logging enable
  5. Configure the global logging settings:

    hostname(config)# logging timestamp
    hostname(config)# logging trap warning
    hostname(config)# logging asdm warning
    hostname(config)# logging device-id hostname
  6. Configure logs to be sent to a designated Armor Log Relay device:

    hostname(config)# logging host <interface> <ipaddress> <protocol/port>
    • In <interface>, enter the name of the Cisco Adaptive Security Appliance (ASA) interface.
    • In <ipaddress>, enter the IP address of the corresponding Armor Log Relay device.
      • To locate your IP address in AMP, in the left-side navigation, click Infrastructure, click Virtual Machines, and then review the Primary IP column for the corresponding virtual machine.
    • In <protocol/port>:
      • For UDP, enter udp/10041.
        • Armor recommends that you use UDP.
      • For TCP, enter tcp/10041.
        • If you use TCP, then the ASA can determine the availability of the status of the syslog server. If the ASA cannot establish a connection to the syslog server to log activity, then by default, the ASA will not allow new connections for transit traffic. Use the following command to allow transit traffic,

          hostname(config)# logging permit-hostdown
  7. To ensure that the log messages use the IP address and not the object names, disable the output object name option:

    hostname(config)# no names
  8. Exit the configuration:

    hostname(config)# exit
  9. Save the changes:

    hostname# write memory
  10. Review the logging configuration:

    hostname# show run all logging
    logging enable
    logging timestamp
    logging hide username
    logging buffer-size 4096
    logging asdm-buffer-size 100
    logging buffered warnings
    logging trap warnings
    logging asdm warnings
    logging device-id hostname
    logging host inside 17/5140
    logging flash-minimum-free 3076
    logging flash-maximum-allocation 1024

    If present, logging standby enables logging on a standby unit with failover enabled. As a result, this option causes increases traffic on the syslog server.


Verify that logs are formatted correctly, similar to the following example:

May 22 2019 16:11:55 asav-984 : %ASA-4-411004: Interface Management0/0, changed state to administratively down

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.