AlienVault® USM Appliance™

Cisco ASA

When you configure Cisco ASA to send log data to USM Appliance, you can use the Cisco ASA plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Cisco
Device Type UTM
Connection Type Syslog
Data Source Name cisco-asa
Data Source ID 1636

Integrating Cisco ASA

Before you configure the Cisco ASA integration, you must have the IP Address of the USM Appliance Sensor and the Cisco Adaptive Security Device Manager (ASDM).

To configure Cisco ASA to send log data to USM Appliance

  1. Connect to the ASA box, using ASDM.
  2. Go to Configuration > Device Management > Logging > Syslog Servers and click Add to add a syslog server.

    Note: Make sure you have connectivity between Cisco ASA and the USM Appliance Sensor.

  3. In the Add Syslog Server dialog, specify the following:

    1. Interface associated with the server
    2. USM Appliance Sensor IP address
    3. Protocol (TCP or UDP)
    4. Port number, 514 for either TCP or UDP.
    5. Click OK

    The new syslog server appears.

  4. In Queue Size, specify the number of messages allowed to be queued when the syslog server is busy. 0 means unlimited queue size.
  5. If the transport protocol between Cisco ASA and the syslog server is TCP, select Allow user traffic to pass when TCP Syslog server is down . Otherwise, Cisco ASA denies any new network access sessions.
  6. Click Apply.

To configure syslog on Cisco ASA

The header fields in the syslog messages sent by Cisco ASA include some important information needed by USM Appliance to parse the messages correctly.

To make sure that the logging is enabled for USM Appliance, use the command

ciscoasa(config)# logging enable

You also need to enable timestamp and hostname logging in the messages

ciscoasa(config)# logging timestamp

ciscoasa(config)# logging device-id hostname

For further asistance on Cisco ASA logging, please consult vendor documentation.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113053-asa82-syslog-config-00.html#trshoo