Cisco ASA#
Integration Details |
|
Ingester |
|
Kit |
Cisco ASA Configuration#
Configure log forwarding as described in Cisco ASA documentation.
Example Cisco ASA config:
logging host interface_name simple_relay_ip udp/514 format emblem
logging trap severity_level
logging facility number
Warning
If using TCP for syslog, you probably want to set logging permit-hostdown. Otherwise, if the ASA is unable to connect to the Gravwell ingester, it will block all new connections.
Gravwell Configuration#
Gravwell Storage Well Configuration#
Setup the well configuration in your Gravwell indexers.
Sample well config:
Create or edit: /opt/gravwell/etc/gravwell.conf.d/cisco-asa-well.conf
[Storage-Well "ciscoasa"]
Location=/opt/gravwell/storage/cisco-asa
Tags=cisco-asa*
Gravwell Ingester Configuration: Simple Relay#
Sample Cisco ASA config:
Create or edit: /opt/gravwell/etc/simple_relay/cisco-asa.conf
[Listener "syslogtcp_cisco_asa"]
Bind-String="tcp://0.0.0.0:6801"
Reader-Type=rfc5424
Keep-Priority=true
Tag-Name=cisco-asa-events
Assume-Local-Timezone=true
Preprocessor="Cisco ASA Class Router"
# ASA: Route by 3-digit class prefix from the 6-digit message number
# Example: %ASA-6-302013: ... -> class=302
[preprocessor "Cisco ASA Class Router"]
Type=regexrouter
Drop-Misses=false
Regex=`%ASA-[0-7]-(?P<class>\d{3})\d{3}:`
Route-Extraction=class
# auth
Route=109:cisco-asa-auth
Route=113:cisco-asa-auth
# config
Route=111:cisco-asa-config
Route=112:cisco-asa-config
Route=208:cisco-asa-config
Route=308:cisco-asa-config
# vpn
Route=213:cisco-asa-vpn
Route=316:cisco-asa-vpn
Route=320:cisco-asa-vpn
Route=402:cisco-asa-vpn
Route=403:cisco-asa-vpn
Route=404:cisco-asa-vpn
Route=501:cisco-asa-vpn
Route=602:cisco-asa-vpn
Route=603:cisco-asa-vpn
Route=611:cisco-asa-vpn
Route=702:cisco-asa-vpn
Route=713:cisco-asa-vpn
Route=714:cisco-asa-vpn
Route=715:cisco-asa-vpn
Route=716:cisco-asa-vpn
Route=718:cisco-asa-vpn
Route=720:cisco-asa-vpn
Route=722:cisco-asa-vpn
# traffic
Route=106:cisco-asa-traffic
Route=108:cisco-asa-traffic
Route=201:cisco-asa-traffic
Route=202:cisco-asa-traffic
Route=204:cisco-asa-traffic
Route=302:cisco-asa-traffic
Route=303:cisco-asa-traffic
Route=304:cisco-asa-traffic
Route=305:cisco-asa-traffic
Route=314:cisco-asa-traffic
Route=405:cisco-asa-traffic
Route=406:cisco-asa-traffic
Route=407:cisco-asa-traffic
Route=500:cisco-asa-traffic
Route=502:cisco-asa-traffic
Route=607:cisco-asa-traffic
Route=608:cisco-asa-traffic
Route=609:cisco-asa-traffic
Route=616:cisco-asa-traffic
Route=620:cisco-asa-traffic
Route=703:cisco-asa-traffic
Route=710:cisco-asa-traffic
# threat
Route=400:cisco-asa-threat
Route=401:cisco-asa-threat
Route=420:cisco-asa-threat
Route=733:cisco-asa-threat
# system
Route=101:cisco-asa-system
Route=102:cisco-asa-system
Route=103:cisco-asa-system
Route=104:cisco-asa-system
Route=105:cisco-asa-system
Route=199:cisco-asa-system
Route=210:cisco-asa-system
Route=211:cisco-asa-system
Route=214:cisco-asa-system
Route=216:cisco-asa-system
Route=306:cisco-asa-system
Route=307:cisco-asa-system
Route=311:cisco-asa-system
Route=315:cisco-asa-system
Route=414:cisco-asa-system
Route=604:cisco-asa-system
Route=605:cisco-asa-system
Route=606:cisco-asa-system
Route=610:cisco-asa-system
Route=612:cisco-asa-system
Route=614:cisco-asa-system
Route=615:cisco-asa-system
Route=701:cisco-asa-system
Route=709:cisco-asa-system
Route=711:cisco-asa-system
Route=741:cisco-asa-system
Note
Remember to restart the service to apply the new config:
sudo systemctl restart gravwell_simple_relay.service