Help Documentation

Managed Detection and Response

Cisco ASA Logs

Updated Aug 31, 2023

Configure Cisco ASA to send logs to Arctic Wolf

You can configure syslog forwarding for Cisco Adaptive Security Appliance® (ASA) software using one of these methods:

Note: After you configure these logs, changing the severity level of a log message may cause unexpected alerts. If you need to change a severity level, contact your Concierge Security® Team (CST) for assistance.

Requirements

Configure Cisco ASA firewall syslog forwarding using ASDM

  1. In ASDM, select Configuration.
  2. In the Device Management pane, select Logging > Logging Setup to configure basic logging parameters for the Cisco ASA firewall.
  3. In the Logging Setup section, ensure that Enable logging is selected.
  4. If the firewall has a secondary failover device, select Enable logging on the failover device.
  5. In the navigation pane, under Logging, select Syslog Servers.
  6. Click Add to add the sensor as the destination for syslog.
  7. In the Add Syslog Server dialog box, enter the syslog server details:
    • Interface — Select the interface that can communicate with the Arctic Wolf Sensor.

      Tip: This interface is usually named Inside or similar.

    • IP Address — Enter the IP address of the Arctic Wolf Sensor management port.
    • Protocol — Select UDP.
    • Timestamp — Ensure that it is selected and choose either the Legacy or RFC5424 format.

      Note: Legacy matches your system time, while RFC5424 uses UTC time.

  8. Click OK to close the Add Syslog Server dialog box.
  9. In the navigation pane, under Logging, select Logging Filters, and then enter these details:

    Tip: The Logging section shows each possible logging destination and the current level of logs that are sent to those destinations.

    1. In the Logging Destinations section, click Syslog Servers.
    2. Click Edit.
    3. Select Informational from the Filter on severity list.
  10. Click OK to close the Edit Logging Filters dialog box.
  11. Select Syslog Setup.
  12. In the Syslog format section, select Enable timestamp on Syslog messages.
  13. Click the Timestamp Format menu and select your timestamp format.

    Note: Legacy matches your system time, while RFC5424 uses UTC.

  14. In the Logging Filters section, click Apply.
  15. Click Save to save the configuration. Any changes are applied on the next device reboot.
  16. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding.

Configure Cisco ASA firewall syslog forwarding using the CLI

  1. Run the following command to configure the syslog parameters, where <interface_name> is the interface name and <ip_address> is the Arctic Wolf Sensor IP address: 
    logging enable
logging timestamp
logging trap informational
logging host <interface_name> <ip_address> 17/514 timestamp legacy

    Tip: If you do not know your interface name, the following command may display the interface name in some instances: show route <ip_address>

    Note: timestamp legacy matches your system time, while timestamp rfc5424 uses UTC.

  2. Contact your Concierge Security® Team to inform them that you have configured syslog forwarding.