UpPrevious Next
Sheriff CSMâ„¢
Cisco ASA
When you configure Cisco ASA to send log data to Sheriff CSM, you can use the Cisco ASA plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:
Plugin Information
Device | Details |
Vendor | Cisco |
Device Type | UTM |
Connection Type | Syslog |
Data Source Name | cisco-asa |
Data Source ID | 1636 |
Integrating Cisco ASA
Before you configure the Cisco ASA integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy) and the Cisco Adaptive Security Device Manager (ASDM).
To configure Cisco ASA to send log data to Sheriff CSM
- Connect to the ASA box, using ASDM.
-
Go to Configuration > Device Management > Logging > Syslog Servers and click Add to add a syslog server.
Note: Make sure you have connectivity between Cisco ASA and the Sheriff CSM Sensor.
-
In the Add Syslog Server dialog, specify the following:
- Interface associated with the server
- Sheriff CSM Sensor IP address
- Protocol (TCP or UDP)
- Port number, 514 for either TCP or UDP.
- Click OK
The new syslog server appears.
- In Queue Size, specify the number of messages allowed to be queued when the syslog server is busy. 0 means unlimited queue size.
-
If the transport protocol between Cisco ASA and the syslog server is TCP, select Allow user traffic to pass when TCP Syslog server is down. Otherwise, Cisco ASA denies any new network access sessions.
- Click Apply.
To configure syslog on Cisco ASA
The header fields in the syslog messages sent by Cisco ASA include some important information needed by Sheriff CSM to parse the messages correctly.
To make sure that the logging is enabled for Sheriff CSM, use the command
ciscoasa(config)# logging enable
You also need to enable timestamp and hostname logging in the messages
ciscoasa(config)# logging timestamp
ciscoasa(config)# logging device-id hostname
For further assistance on Cisco ASA logging, please consult
vendor documentation.
Plugin Enablement
For plugin enablement information, see
Enable Plugins.
Troubleshooting
For troubleshooting, refer to the vendor documentation:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113053-asa82-syslog-config-00.html#trshoo