Skip to content

Cisco ASA

Chronicle supports ingesting Cisco ASA firewall traffic in order to visualize web traffic. Chronicle requires only a very simple syslog configuration along with a Chronicle Forwarder.

Chronicle Data Types

  • Firewall

Requirements

  • Chronicle Forwarder

Configuration

Reference: https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc6

Syslog Logging Configuration

  1. Log into the Cisco ASA device.
  2. Type the following command to access privileged EXEC mode:

    enable
    
  3. Type the following command to access global configuration mode:

    conf t
    
  4. Enable logging:

    logging enable
    
  5. Configure the logging details:

    logging trap informational
    
  6. Type the following command to configure logging to the Chronicle Forwarder:

    logging host <interface> <IP address> [tcp[/port]] | udp[/port]]
    

Where:

  • <interface> is the name of the ASA interface
  • <IP address> is the IP address of the Chronicle Forwarder

IMPORTANT NOTE: ASA sends syslog on UDP port 514 by default, but protocol and port can be chosen. If TCP is chosen as the logging protocol, this causes the ASA to send syslog messages via a TCP connection to the syslog server. If the server is inaccessible, or the TCP connection to the server cannot be established, the ASA will, by default, block ALL new connections. This behavior should be disabled by enabling the command logging permit-hostdown.