Chronicle supports ingesting Cisco ASA firewall traffic in order to visualize web traffic. Chronicle requires only a very simple syslog configuration along with a Chronicle Forwarder.
Chronicle Data Types
- Chronicle Forwarder
Syslog Logging Configuration
- Log into the Cisco ASA device.
Type the following command to access privileged EXEC mode:
Type the following command to access global configuration mode:
Configure the logging details:
logging trap informational
Type the following command to configure logging to the Chronicle Forwarder:
logging host <interface> <IP address> [tcp[/port]] | udp[/port]]
<interface>is the name of the ASA interface
<IP address>is the IP address of the Chronicle Forwarder
IMPORTANT NOTE: ASA sends syslog on UDP port 514 by default, but protocol and port can be chosen. If TCP is chosen as the logging protocol, this causes the ASA to send syslog messages via a TCP connection to the syslog server. If the server is inaccessible, or the TCP connection to the server cannot be established, the ASA will, by default, block ALL new connections. This behavior should be disabled by enabling the command