Skip to content

Cisco ASA

Chronicle supports ingesting Cisco ASA firewall logs to Chronicle. This setup requires syslog configuration along with a Chronicle forwarder.

Chronicle Data Types

  • CISCO_ASA

Requirements

  • Chronicle Forwarder

Configuration

Reference: https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc6

TLS Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/monitor-syslog.html

Syslog Logging Configuration

  1. Log into the Cisco ASA device

  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Enable logging:

    logging enable

  5. Configure the logging details:

    logging trap informational

  6. Type the following command to configure logging to the Chronicle Forwarder:

    logging host <interface> <IP address> [tcp[/port]] | udp[/port]]

Where:

  • <interface> is the name of the ASA interface
  • <IP address> is the IP address of the Chronicle Forwarder

Syslog Logging Configuration over TLS

Enable secure logging by specifying the secure keyword in the logging host command. Also, optionally enter the reference-identity.

    logging host interface_name syslog_ip [tcp/port | udp/port] [format emblem] [secure [reference-identity reference_identity_name] ]

Where:

  • logging host interface_name syslog_ip specifies the interface on which the syslog server resides and the IP address of the syslog server.

  • [tcp/port | udp/port] specifies the port (TCP or UDP) that the syslog server listens to for syslog messages. The tcp keyword specifies that the ASA should use TCP to send syslog messages to the syslog server. The udp keyword specifies that the ASA should use UDP to send syslog messages to the syslog server.

  • format emblem keyword enables EMBLEM format logging for the syslog server.

  • secure keyword specifies that the connection to the remote logging host should use SSL/TLS for TCP only. Secure logging does not support UDP; an error occurs if you try to use this protocol.

  • [reference-identity reference_identity_name] enables RFC 6125 reference identity checks on the certificate based on the previously configured reference identity object.

Example: Type the following command to configure logging to the Chronicle Forwarder:

    logging <interface> <IP address> [tcp[/port]] | udp[/port] secure  reference-identity syslogServer]

You will also need to:

  • Specify DNS name for the SSL certificate
  • Import root certificate to properly validate the Let's Encrypt cert

IMPORTANT NOTE: ASA sends syslog on UDP port 514 by default but protocol and port can be chosen. If TCP is chosen as the logging protocol, this causes the ASA to send syslog messages via a TCP connection to the syslog server. If the server is inaccessible or the TCP connection to the server cannot be established, the ASA will, by default, block ALL new connections. This behavior should be disabled by enabling the command logging permit-hostdown.