Help Documentation

Managed Detection and Response

Cisco ASA Logs

Updated Nov 10, 2023

Configure Cisco ASA to send logs to Arctic Wolf using ASDM

Note: After you configure these logs, changing the severity level of a log message can cause unexpected alerts. Contact your Concierge Security® Team (CST) if it is necessary to change a severity level.

You can configure Cisco ASA® to send the necessary logs to Arctic Wolf® for security monitoring.

Requirements

Steps

  1. Configure log forwarding.
  2. Provide your Cisco ASA information to Arctic Wolf.

Step 1: Configure log forwarding

  1. In ASDM, select Configuration.

  2. In the Device Management pane, click Logging > Logging Setup.

  3. In the Logging Setup section, select the Enable logging checkbox.

  4. If the firewall has a secondary failover device, select the Enable logging on the failover standby unit checkbox.

  5. In the navigation menu, in the Logging section, select Syslog Servers.

  6. Click Add.

  7. In the Add Syslog Server dialog, configure these settings:

    • Interface — Select the interface that can communicate with the Arctic Wolf Sensor.

      Tip: This interface is usually named Inside or similar.

    • IP Address — Enter the IP address of the Arctic Wolf Sensor management port.
    • Protocol — Select UDP.
    • Timestamp — Make sure this option is selected, and then select one of these formats:
      • Legacy — Matches your system time.
      • RFC5424 — Uses UTC time.

  8. Click OK.

  9. In the navigation menu, in the Logging section, select Logging Filters, and then complete these steps:

    Tip: The Logging section shows each possible logging destination and the current level of logs that are sent to those destinations.

    1. In the Logging Destinations section, click Syslog Servers.
    2. Click Edit.
    3. In the Filter on severity list, select Informational.

  10. Click OK.

  11. In the Syslog format section, select Enable timestamp on Syslog messages.

  12. In the Timestamp Format menu, select one of these formats:

    • Legacy — Matches your system time.
    • RFC5424 — Uses UTC time.

  13. In the Logging Filters section, click Apply.

  14. Click Save.

    Changes are applied after the device is restarted.

Step 2: Provide your Cisco ASA information to Arctic Wolf

  1. Sign in to the Arctic Wolf® Unified Portal.

  2. Click Help > Open a New Ticket.

  3. On the Open a New Ticket page, configure these settings:

    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep blank.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname you used during the configuration.
      • Any questions or comments that you have.

  4. Click Send Message.

    Your CST will review the details, and then confirm that Arctic Wolf is successfully processing the logs.

See also