ciscoadaptivesecurityappliance(asa)...2020/12/17 · introduction introduction...

Cisco Adaptive Security Appliance (ASA)

Deployment Guide

Date Published: 12/17/2020

Securonix Proprietary Statement

This material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to any

third party, nor used by the recipient except under the terms and conditions prescribed by Securonix.

The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or their

respective owners.

Securonix Copyright Statement

This material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using any

medium, without the prior written authorization of Securonix.

However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training and

reference.

Information in this document is subject to change without notice. The software described in this document is

furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in

accordance with the terms of those agreements. Nothing herein should be construed as constituting an additional

warranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of this

publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or

mechanical, including photocopying and recording for any purpose other than the purchaser's internal use without

the written permission of Securonix.

Copyright © 2020 Securonix. All rights reserved.

Contact Information

Securonix

5080 Spectrum Drive, Suite 950W

Addison, TX 75001

(855) 732-6649

Deployment Guide 2

Table of ContentsIntroduction 4

About Cisco ASA Next Generation Firewall 4

Supported Collection Method 4

Format 4

Functionality 4

Taxonomy 4

Cisco ASA Configuration 5

Basics of Syslog 5Configure Syslog using ASDM 7.12 8Configure using the Terminal 9Configure the Syslog Connectors 11

Configuration in SNYPR 13

Verify the Job 19

Resources 20

Deployment Guide 3

Introduction

IntroductionThis Deployment Guide provides information to configure Cisco Adaptive SecurityAppliance (ASA) to send security logs to SNYPR and describes how Cisco ASA eventsare parsed, normalized, and categorized.

About Cisco ASA Next GenerationFirewallA Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention,and virtual private network (VPN) capabilities. It provides proactive threat defensethat stops attacks before they spread through the network.

Supported Collection MethodThe collection method is syslog.

FormatThe format is Regex.

FunctionalityThe functionality of Cisco ASA is Next-Generation Firewall. See Available Policies for acomplete list of policies for this datasource.

TaxonomyThe Securonix Open Event Format (OEF) event standard/schema is used. It provides aset of standardized attributes (fields) for consistent representation of logging outputfrom different security and non-security devices and applications. . For additionalinformation on the OEF, refer to the Data Dictionary section on the Securonixdocumentation portal: https://documentation.securonix.com.

Deployment Guide 4

Cisco ASA Configuration

Cisco ASA ConfigurationThis section describes how to push data to the Remote Ingester Node (RIN) to receivedata from syslog.

l Basics of Syslog

l Configure Syslog using ASDM 7.12

l Configure Syslog using the Terminal

Basics of SyslogSystem log messages are generated by the Cisco ASA to notify the administrator ofany changes in the configuration, network setup, or in the performance of the device.By analyzing the system log messages, an administrator can troubleshoot the error byperforming a root cause analysis.

Send Logging Information to a Syslog Server

Enter the following commands to send logging information to a syslog server:

ciscoasa>enable

ciscoasa#conf t

ciscoasa(config)# logging host interface_name ip_address [tcp

[/port] | udp[/port]] [format emblem]

ciscoasa(config)# logging trap severity_level

ciscoasa(config)# logging facility number

Logging Trap Severity Levels

The standard syslog trap severity levels range from zero to seven for messages. Eachnumber represents sever or important events, with lower numbers representing severor important events.

Deployment Guide 5


The following table defines the log levels by number and security keyword, andprovides a description of each level:

Log Level Security Keyword Meaning

0 EmergenciesSystem unusable

messages.

1 AlertTake immediate

action.

2 Critical Critical condition.

3 Error Error messages.

4 Warning Warning messages.

5 NotificationNormal but significant

condition.

6 InformationalInformationmessages.

7 Debugging

Debugging messages,

log FTP commands,

and WWW URLs.

Add Time Stamps to Syslog

Time stamps can be added to syslogs to help align and order events. This isrecommended to help trace issues based on time. To enable time stamps, enter thelogging time stamp command. The following are two syslog examples, with andwithout the time stamp:

Deployment Guide 6


l Logs with the time stamp:

Example: Tue Aug 15 23:30:09 %ASA-6-302016: Teardown UDP connection 40

for outside:44.44.4.4/500 to inside:44.44.2.2/500 duration 0:02:02 bytes 1416

Example: Jul 03 2014 14:33:09: %ASA-6-302014: Teardown TCP connection

806405 for inside:10.0.0.100/50554 to identity:172.18.124.136/51358

duration 0:00:00 bytes 442 TCP Reset-I

l Logs without the time stamp: The following example shows the syslog messages(338001 and 338002) that generate when traffic to/from a blacklist domain isdetected:

Example: ASA-4-338002: Dynamic filter permitted black listed TCP traffic from

inside: 10.1.1.45/6798 (209.165.201.1/7890) to outside: 209.165.202.129/80

(209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list:

bad.example.com

Example: %ASA-6-302016: Teardown UDP connection 806353 for

outside:172.18.123.243/24057 to identity:172.18.124.136/161 duration

0:02:01 bytes 313

Logging Retrieval Methods

The following table shows the logging retrieval methods for Cisco ASA:

Security Device Logging Method Protocol Details

Cisco IOS-based Router syslog UDP port 514

Deployment Guide 7


Security Device Logging Method Protocol Details

Cisco ASA 5500 Series syslogUDP port 514 or TCP port

1468

Cisco IPS 4200 Series SDEE HTTP or HTTPS

Cisco Security MARS Raw message archive SFTP or NFS

Cisco IronPort Email

Security ApplianceLog file export SCP or FTP

Cisco IronPort Web

Security ApplianceLog file export SCP or FTP

Configure Syslog using ASDM 7.12This section provides information on how to configure syslog on the Cisco ASA 7.12

by using the Adaptive Security Device Manager (ASDM) user interface (UI).

Enable logging

To enable logging on Cisco ASA, complete the following steps:

1. Configure the logging parameters by navigating to Configuration > Device Man-agement > Logging > Logging Setup.

2. Check the Enable logging box to enable syslogs.

3. Click Apply.

Logging to a Syslog Server

To configure an external server as the destination for syslog, complete the followingsteps:

Deployment Guide 8


1. Choose Syslog Servers in Logging.

2. Click Add to add a syslog server.

3. Enter the syslog server details in the Add Syslog Server box.

4. Click OK when you are done.

5. Add the following lines in syslog.conf:

source s_network {

unix-stream ("/dev/log" max-connections(100) so_

keepalive(yes) log-fetch-limit(100) log-iw-size(10000));

tcp(ip(0.0.0.0) port(514) max-connections(300) keep-

alive(yes) log-fetch-limit(100) log-iw-size(30000));

udp(ip(0.0.0.0) port(514));

};

filter f_ciscoasa {match("ASA") or match("asa");};

destination d_ciscoasa {file

("/Securonix/Ingester/import/in/cisco/ciscoasa-$R_YEAR$R_

MONTH$R_DAY$R_HOUR");};

log { source(s_network); filter(f_ciscoasa); destination(d_

ciscoasa); flags(flow-control); };

[6]

Configure using the TerminalComplete the following steps to configure the Cisco device to send events using theterminal:

1. Telnet to your Cisco machine.

2. Within the console, enter enable mode by entering one of the following:

Deployment Guide 9


l hostname (config)# en or

l hostname(config)# enable

3. Enter configuration mode by entering one of the following:

l hostname (config)# configure terminal or

l hostname (config)# conf t

4. Enter the following lines:

hostname(config)# logging on

hostname(config)# logging timestamp

hostname(config)# no logging standby

hostname(config)# no logging console

hostname(config)# no logging monitor

hostname(config)# no logging buffered debugging

hostname(config)# logging trap debug

hostname(config)# no logging history

hostname(config)# logging facility <syslog server logging

directory>

hostname(config)# logging queue 512

hostname(config)# logging host inside <syslog server ip

address>

The logging facility can be one of the following:

l 16 local0

l 17 local1

l 18 local2

l 19 local3

Deployment Guide 10


l 20 local4

l 21 local5

l 22 local6

l 23 local7

For example, to log to syslog facility local6, create the following entry on thedevice: logging facility 22.

Note: You can use multiple logging host commands to specify additional servers.

Configure the Syslog ConnectorsThe following syslog connectors are available:

l Syslog Pipe and File: When a syslog daemon is in place to receive syslog messages,add a line in the syslog configuration file (syslog.conf) to write the events to eithera file or a system pipe.

l Syslog Daemon: The syslog daemon is a syslog-compatible daemon designed towork in operating systems (OS) that have no syslog daemon in their default con-figuration, such as Microsoft Windows. By default, the connector for syslog dae-mon implements a UDP receiver on port 514 (configurable). Use of the TCPprotocol can be configured manually.

This section provides information on how to set up syslog to send events to the syslogpipe or file connector, and how to configure changes to send log files to Securonix.

Configuring the Syslog Pipe1. Execute the following command to create a pipe:

#mkfifo /var/tmp/syspipe

2. Add one of the following lines to your "syslog.conf" file:

Deployment Guide 11


l #*.debug /var/tmp/syspipe

l #*.debug |/var/tmp/syspipe

3. Restart the syslog daemon by executing one of the following scripts:

l #/etc/init.d/syslogd stop

l #/etc/init.d/syslogd start

l On RedHat Linux, execute: #Service syslog restart.

l On Solaris, execute: #kill -HUP ‘cat /var/run/syslog.pid’.

This command forces the syslog daemon to reload the configuration and startwriting to the pipe you previously created.

Configuring the Syslog File1. Create a file or use default file by editing the "/etc/rsyslog.conf" file.

2. Restart the syslog daemon as described in the Configuring the Syslog Pipe section.

Configuring Changes to Send Log Files to Securonix

1. In the "/etc/rsyslog.d/*.conf" file or "/etc/rsyslog.conf" file, add the following line:

*.*@private_ip_securonix:port_no

This line sends all lines to the defined IP address at port: port_no.

2. Restart the syslog daemon by executing one of the following scripts:

#sudo service rsyslog restart

or

Deployment Guide 12

Configuration in SNYPR

l #/etc/init.d/syslogd stop

l #/etc/init.d/syslogd start

The configuration is complete. The log source is added to SNYPR as Cisco ASA syslogevents are automatically discovered. Events that are forwarded to SNYPR by CiscoASA are displayed on the Job Monitor tab of SNYPR

Configuration in SNYPRTo configure Cisco ASA in SNYPR, complete the following steps:

1. Login to SNYPR.

2. Navigate to Menu > Add Data > Activity.

3. Click + > Add Data for Existing Device Type.

4. Click the Vendor drop-down and select the following information:

Deployment Guide 13


l Vendor: Cisco Systems

l Functionality: Next Generation Firewall

l Device Type: Cisco ASA

l Collection Method: Regex [syslog]

5. Choose an ingester from the drop-down list.

Deployment Guide 14


6. Click + to add a filter.

7. Provide a name for the filter.

Deployment Guide 15


8. Add one of the following syslog filters in the Filter expression box:

l {host("10.0.0.1");};

l {match("%ASA");};

Note: IP address is the address of the source host initiating the traffic.

9. Click Add.

10. Complete the following information in the Device Information section:

a. Datasource Name: Cisco ASA Next Generation Firewall

b. Specify timezone for activity logs: Click the drop-down and select a timezonefor the logs.

11. Click Get Preview on the top right of the screen to view the data.

12. Click Save & Next until you reach step 4: Identity Attribution.

13. Click + > Add New Correlation Rule.

Deployment Guide 16


14. Enter a descriptive name for the correlation rule.

15. Provide the following parameters to create a correlation rule:

Deployment Guide 17


l User Attribute

l Operation

l Parameter

l Condition

l Separator

Example: User Attribute: firstname | Operation: None | Condition: And |

Separator: . (period) + User Attribute: lastname | Operation: None | Condition:

And. This correlation rule will correlate users to activity accounts with the

format: firstname.lastname.

16. Scroll to the bottom of the screen and click Save.

17. Click Save & Next.

18. Select Do you want to run job Once? in the Job Scheduling Information section.

Deployment Guide 18


19. Click Save & Run.

You will be automatically be directed to the Job Monitor screen.

Verify the JobUpon a successful import, the event data will be available for searching in Spotter. Tosearch events in Spotter, complete the following steps:

20. Navigate to Menu > Security Center > Spotter.

21. Verify that the datasource you ingested is listed under the Available Datasources

section.

Deployment Guide 19

Resources

Resourcesl Cisco Security Information Event Management Deployment Guide: https://www.-cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security-tech-nology-partners/bn_cisco_siem.pdf

l ASA Syslog Configuration Example: https://www.-cisco.com/c/en/us/support/docs/security/pix-500-series-security-appli-ances/63884-config-asa-00.html?referring_site-=RE-&pos-=1&pag-e=h-ttps://www.-cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/monitor_syslog.html

l Configure Basic Syslog with ASDM: https://www.-cisco.com/c/en/us/support/docs/security/pix-500-series-security-appli-

ances/63884-config-asa-00.html#anc14

Deployment Guide 20

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security-technology-partners/bn_cisco_siem.pdf



https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html?referring_site=RE&pos=1&page=https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/monitor_syslog.html











https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc14



ciscoadaptivesecurityappliance(asa)...2020/12/17 · introduction introduction...

Documents