Cisco ASA
Cisco ASA is one of the few event sources that can handle multiple types of logs on a single port because it hosts Firewall and VPN logs.
For the InsightIDR parser to work, make sure that your Cisco ASA appliance has "logging timestamp" turned on and the "logging host" has been configured for the InsightIDR collector.
For the complete use of detection capabilities in InsightIDR, set the logging level on the device to Severity 6 (Informational Messages). Read the Cisco ASA Configuration Guide for more information: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#wp1082848.
Learn how Cisco logging is configured: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/l2.html
To forward logs from Cisco's Adaptive Security Device Manager:
- In the ADSM, select Configuration.
- Select Device Management, and choose Logging from the dropdown menu.
- Select Syslog servers.
- Click Add and then in "Syslog Servers," enter the information for your InsightIDR collector.
- Ensure the Collector is reachable from Cisco ASA.
For more details instructions on syslog configuration, read this information: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113053-asa82-syslog-config-00.html
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for Cisco ASA Firewall VPN in the event sources search bar.
- In the Product Type filter, select Firewall.
- Select the Cisco ASA Firewall VPN event source tile.
- Choose your collector.
- In the Select Event Source Type field, choose the option that corresponds to your Cisco Security Solution as outlined in the following table:
Cisco Security Solution | InsightIDR Event Source Type |
---|---|
ASA | Cisco ASA event-source |
NGIPS | Cisco ASA event-source |
NGFW | Cisco ASA event-source |
Any other firepower service | Cisco ASA event-source |
Cisco ASA with FirePower services | Cisco ASA event-source |
Cisco FirePower Threat Defense (FTD) | Cisco FTD event-source |
Sourcefire 3D | Cisco FirePower (Sourcefire 3D) event-source |
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Select an attribution source.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Verify the Configuration
To see Cisco ASA logs in InsightIDR: From the left menu, click Log Search to view your logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cisco ASA” if you did not name the event source. Cisco ASA logs flow into these Log Sets:
- Unified Asset Authentication
- Ingress Authentication
- Firewall
- VPN Session
- Web Proxy
- Intrusion Detection System (IDS)
Logs take a minimum of 7 minutes to appear in Log Search
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.
Example Input Logs
The following table contains the events from Cisco ASA that are parsed by InsightIDR. You may also select to send unfiltered logs to InsightIDR to collect and store additional events.
To learn about what these codes mean, see the Cisco documentation here: http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html.
For additional examples of syslog, see this documentation: https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html.
Event ID | Description | Log Example |
---|---|---|
ASA-4-106023 | Deny firewall connection |
|
ASA-5-106100 | Allow Firewall connection |
|
ASA-6-113005 | VPN Authentication failed with bad password |
|
ASA-6-302013 | TCP connection created |
|
ASA-6-302014 | TCP connection completed |
|
ASA-6-302015 | UDP connection created |
|
ASA-6-302016 | UDP connection completed |
|
ASA-5-304001 | URL accessed |
|
ASA-5-304002 | URL access denied |
|
ASA-3-713167 | VPN Access denied |
|
ASA-6-713228 | VPN Assigned IP |
|
ASA-6-716039 | WebVPN Authentication failed |
|
ASA-7-722029 | VPN Session Termination |
|
ASA-4-722051 | VPN Assign IP |
|
ASA-7-751025 | Displays the assigned IP address information for the AnyConnect IKEv2 connection of the specified user |
|
Cisco ASA logs can also produce logs in the same format as some Sourcefire 3D log entries. These log entries do not contain the ASA Event ID. Here is an example of these logs:
<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-b768-a8d573eb9cc3)][MHPSA] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Parked Domains, URL Reputation: Well known, URL: https://rapid7.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 4, Responder Packets: 4, Initiator Bytes: 608, Responder Bytes: 4368, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} 10.7.30.21:53431 -> 66.55.15.70:443
Troubleshooting
If you are experiencing issues with Cisco ASA, the problem may be with parsing or with Log Configuration.
Problems Parsing
Ensure timestamps are turned on, otherwise the Rapid7 parser will not work.
Problem with Log Configuration
Ensure the following:
- The 'logging timestamp' is turned on
- The 'logging host' has been configured for the InsightIDR collector.
Make sure to set the logging level on the device to Severity 6 (Informational Messages). Use this guide for instructions: https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_syslog.html#wp1082848.
Cisco devices running versions < 9.2.1 have a bug (CSCui82751) where ASA-6-113005 events are not logged with the source IP address, preventing them from being used for detection within InsightIDR.