Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
Connector Cisco ASA/FTD via AMA does not work
Describe the bug
Connector Cisco ASA/FTD via AMA does not work. Also, the documentation seems to be incomplete. When sending mock Cisco ASA logs the parsing and redirection to CommonSecurityLog table is not done. Instead the logs are stored within Syslog table.
To Reproduce Steps to reproduce the behavior:
-
Set up log forwarder VM and data collection rule for AMA as described in the official documentation.
-
Run the following command in the log forwarder VM to send a mock Cisco ASA log to Log analytic workspace.
echo -n "<164>%ASA-1-1234567: AAA user authentication Rejected : reason = AAA failure : server = 10.51.53.59 : user = : user IP = 149.18.29.21899999999" | nc -u -w0 localhost 514
- The new log entry will be stored in
Syslogtable instead ofCommonSecurityLogtable
Expected behavior
The Cisco ASA logs ingested via AMA should be parsed and stored in CommonSecurityLog table.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
@v-vdixit any updates on this issue? we are working on a big MDR project which depends heavily on this connector.
Hi @DonadoJuan our team is analyzing this issue and we will need a little more time to resolve and update this, thanks!
Hi @DonadoJuan We have raised this issue with the data collection team, waiting to hear back from them, will provide you resolution shortly, thanks!
Just wanted to add note that we're also seeing this issue with Cisco ASAs and performed a lot of troubleshooting with a client's rsyslog configuration before stumbling upon this open github issue.
@DonadoJuan Could you please help us with the details of the DCR that you're using for this, thanks!
@v-vdixit sure thing!
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataCollectionRules_ama_log_forwarder_test_dcr_name": {
"defaultValue": "ama-log-forwarder-test-dcr",
"type": "String"
},
"workspaces_babiana_log_analytics_externalid": {
"defaultValue": "<SUBSCRIPTION>",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2022-06-01",
"name": "[parameters('dataCollectionRules_ama_log_forwarder_test_dcr_name')]",
"location": "eastus",
"tags": {
"createdBy": "Sentinel"
},
"kind": "Linux",
"properties": {
"dataSources": {
"syslog": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"facilityNames": [
"local4"
],
"logLevels": [
"Debug",
"Info",
"Notice",
"Warning",
"Error",
"Critical",
"Alert",
"Emergency"
],
"name": "sysLogsDataSource-1688419672"
}
]
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaces_babiana_log_analytics_externalid')]",
"name": "DataCollectionEvent"
}
]
},
"dataFlows": [
{
"streams": [
"Microsoft-CommonSecurityLog"
],
"destinations": [
"DataCollectionEvent"
]
}
]
}
}
]
}
Hi @DonadoJuan to get the ASA messages into the CommonSecurityLog table, the DCR needs to be edited and indicate "Microsoft-CiscoAsa" as the stream, please check if this value is updated or not, thanks!
@v-vdixit Thank you! that solved the issue. Could we get the documentation updated with this information? I was not aware of the existence of stream Microsoft-CiscoAsa.
Hi @DonadoJuan, we will work on updating the solution at the earliest, thanks for your confirmation on issue resolution, closing this issue.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Hi @v-vdixit, Sorry for bringing this topic up again, but thought since this is relevant I might as well ask here, hope that's OK. Been dealing with a similar issue only related to FTD events, e.g.: "%FTD-4-106023: Deny tcp src Outside:x.x.x.x/10350 dst Inside:y.y.y.y/23 by access-group "CSM_FW_ACL" [0x97aa021a, 0x0]_". Is Microsoft-CiscoAsa also good for stream in DCR, so these events land in the CommonSecurityLog table instead of Syslog?
