This quick start guide will help Accenture Security customers configure Cisco® Adaptive Security Appliance (ASA) Firewalls to send logs to the Log collection Platform (LCP).
The guide details the CLI and GUI configuration process. Please refer to the vendor document for more information on ASDM configuration.
This document includes the following topics:
A list of supported versions is available in the Accenture Security Supported Products List document (Accenture_MSS_Supported_Products_List.xlsx) which can be found at Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Note: MSS does not support the Names feature and Cisco EMBLEM format logging. These features need to be disabled.
Login to the Cisco ASDM-IDM Launcher Console.
Go to Configuration > Device Management > Logging > Syslog Severs > Add. The Add Syslog server window is displayed.
Set the Interface as Management
In the IP address text box, enter the IP address of the LCP.
Select protocol as UDP.
Configure the Port number (default and recommended is 514 for UDP, 601 for TCP).
Disable checkbox for Log messages in Cisco EMBLEM format (UDP only).
Checkbox for Enable secure syslog using SSL/TLS will be in disable state, as we haven’t selected protocol as TCP.
In an Advanced Syslog Configuration window, enable Enable syslog device ID.
Select management option from the Interface IP address drop-down list.
Click OK to save the settings.
Login to the Cisco device command prompt and type the following command:
Enter your privileged command mode password.
At the new prompt, type the following command:
At the prompt, type the following configuration parameters:
logging host <
Interface_Name - Cisco ASA or PIX network interface that is used to send syslog messages.
IP_Address - IP address of the LCP.
UDP - Protocol configured.
514 - Default port on which the LCP is configured to listen (preferred).
Note: To configure the use of TCP protocol in step 2, replace "UDP" with "TCP", also use "601" instead of "514", where 601 is the default TCP port. Refer to the note on protocol description in Table 1-2.
Set the Cisco log severity level by entering the command:
logging trap informational
Add the device ID in the log header using any of the commands below.
logging device-id <ip_address>
Note: If you use the ip_address keyword, the device ID becomes the specified ASA interface IP address.
Note: The string keyword specifies that the text string is to be used as the device ID.
Note: The hostname keyword specifies that the hostname of the ASA is to be used as the device ID.
Add the date and time in the log header by entering the command:
Enter the below command to display the running logging configuration.
The following should be set as enabled.
Trap logging set to Informational.
Logging to contains <LCP IP Address>.
Note: Both Accept and Deny logs play an important part in the analysis of traffic seen at the firewall. To receive the maximum benefit from a firewall logging to MSS, all rules that make up the installed firewall policy including an Explicit Deny All (also known as Clean-Up) rule should be configured to log.
The default protocol for syslog. The collector can also accept logs in TCP.
Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture Security MSS onboarding team.
|IP Address||Firewall Interface IP address||
Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).
Note: If the device sends logs using multiple interfaces, contact the Accenture Security MSS onboarding team.
MSS recommended signatures processed by the Cisco ASA event collector.
The default port for UDP. For TCP, the default port is 601.
Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security MSS onboarding team if this is a requirement.
Please refer the vendor documentation for sample logging information. Referance link : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/about.html
Copyright © 2020 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.