Configure Cisco ASA to send logs to Arctic Wolf using ASDM

You can configure your Cisco Adaptive Security Appliance (ASA)® to send the necessary logs to Arctic Wolf® for security monitoring using the Adaptive Security Device Manager (ASDM).

Note: Changing the severity level of a log message after initial setup causes unexpected alerts. Contact your Concierge Security® Team (CST) before changing a severity level.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to the ASDM with administrator permissions

Configure log forwarding

  1. In ASDM, select Configuration.
  2. In the Device Management pane, click Logging > Logging Setup.
  3. In the Logging Setup section, select the Enable logging checkbox.
  4. If the firewall has a secondary failover device, select the Enable logging on the failover standby unit checkbox.
  5. In the navigation menu, in the Logging section, select Syslog Servers.
  6. Click Add.
  7. In the Add Syslog Server dialog, configure these settings:
    • Interface — Select the interface that can communicate with the Arctic Wolf Sensor.
      Tip: This interface is usually named Inside or similar.
    • IP Address — Enter the IP address of the Arctic Wolf Sensor management port.
    • Protocol — Select UDP.
    • Timestamp — Make sure this option is selected, and then select one of these formats:
      • Legacy — Matches your system time.
      • RFC5424 — Uses UTC time.
  8. Click OK.
  9. In the navigation menu, in the Logging section, select Logging Filters, and then complete these steps:
    Tip: The Logging section shows each possible logging destination and the current level of logs that are sent to those destinations.
    1. In the Logging Destinations section, click Syslog Servers.
    2. Click Edit.
    3. In the Filter on severity list, select Informational.
  10. Click OK.
  11. In the Syslog format section, select Enable timestamp on Syslog messages.
  12. In the Timestamp Format menu, select one of these formats:
    • Legacy — Matches your system time.
    • RFC5424 — Uses UTC time.
  13. In the Logging Filters section, click Apply.
  14. Click Save.

    Changes are applied after the device restarts.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.