AlienVault Data Source Integration Procedure For: Cisco ASA

This document covers the end-to-end configuration to enable Cisco ASA as a data source for AlienVault OSSIM or USM. Data Sources provide log event data for investigation by security analysts and automatic correlation into security alerts.

Device Name: ASA Device Vendor: Cisco Device Type: UTM

Data Source Name: cisco-asa Connection Type: Syslog Data Source ID: 1636

Configuring Cisco ASA To Send Log Data to AlienVault
The Device to be connected as a data source must be configured to transmit log data to the AlienVault Sensor over the Syslog Protocol.

Connect to the ASA box via telnet or SSH, enter enable mode to begin configuration: enable Enter the configure mode by typing the following command: config terminal Type the following lines: no logging timestamp logging trap notification logging host inside <IP Address of AlienVault Sensor> Press Ctrl + Z to exit config mode. Save the configuration changes: copy running-config startup-config

AlienVault Data Source Integration Procedure For: Cisco ASA Configuring AlienVault to Receive Logs from Cisco ASA Devices that send log data via Syslog require configuration of the Syslog service to process those incoming logs into a unique file destination. or log in over Secure Shell (SSH) as the ‘root’ user Select and accept the ‘Jailbreak This Appliance’ option to gain command line access.d/cisco-asa. Open the Console on the Alienvault Appliance. Create a new configuration file to save incoming ASA logs: nano –w /etc/rsyslog. one for each Cisco ASA device you are sending logs from if ($fromhost-ip == 'IP Address of ASA') then /var/log/cisco-asa. Ctrl-X to exit the editor Restart the Syslog Collector /etc/init.conf Add the following line to the file.log end the file with this line: & ~ Press Ctrl-W to save the file.d/rsyslog restart Page 2 of 4 .

log { rotate 4 # save 4 days of logs daily # rotate files daily missingok notifempty compress delaycompress sharedscripts postrotate invoke-rc. Create a new log rotation configuration file nano –w /etc/logrotate.AlienVault Data Source Integration Procedure For: Cisco ASA Configuring Log File Expiration Incoming logs will be processed by the Sensor and passed on to the SIEM Service. Keeping the raw log files on the sensor for more than a few days Is unnecessary and they should be purged to maintain adequate free filesystem capacity.d rsyslog reload > /dev/null endscript } Page 3 of 4 .d/cisco-asa Add the follows content to the file: /var/log/cisco-asa.

first validate that you are receiving syslog packets from the source device tcpdump -i eth0 -v -w /dev/null ‘src <IP Address> and port 514’ (the count of captured packets should indicate logs being sent) Press Ctrl-C to exit this tool when finished Restart the Syslog Collector and the Sensor agent /etc/init. the device is not listed as an available data source). yet not appearing in the Alienvault SIEM Events UI (for example. This is achieved by enabling a data source plugin on the sensor.d/rsyslog restart /etc/init. Log Events should begin to appear in the Web UI under Analysis -> Security Events (SIEM) If they do not.d/ossim-agent restart Search for any errors regarding the plugin in the Agent Logs cat /var/log/ossim/agent* | grep plugin_id=”1636” Page 4 of 4 . Debugging Connection from Cisco ASA to AlienVault If new logs are being generated by the source device. press space to activate the ‘cisco-asa’ plugin Select ‘OK’. and the sensor reconfigured. Re-enter the Console Configuration Client alienvault-setup Navigate to ‘Configure Sensor’ and then to ‘Select Data Sources’ Scroll down the list of data sources.AlienVault Data Source Integration Procedure For: Cisco ASA Configuring SIEM SIEM Log Processing The final stage is to enable the Sensor Agent to process the incoming log files into normalized SIEM events. and back out to the top-level menu Select “Apply Changes’ A summary of the changes to be made will be displayed. Log Collection and processing is now configured and active. the following steps will assist in isolated at which stage of processing the logs are reaching before failure.

