AlienVault Data Source Integration Procedure For: Cisco ASA

This document covers the end-to-end configuration to enable Cisco ASA as a data source for AlienVault OSSIM or USM. Data Sources provide log event data for investigation by security analysts and automatic correlation into security alerts.

Device Name: ASA Device Vendor: Cisco Device Type: UTM

Data Source Name: cisco-asa Connection Type: Syslog Data Source ID: 1636

Configuring Cisco ASA To Send Log Data to AlienVault

The Device to be connected as a data source must be configured to transmit log data to the AlienVault Sensor over the Syslog Protocol.

Connect to the ASA box via telnet or SSH, enter enable mode to begin configuration: enable Enter the configure mode by typing the following command: config terminal Type the following lines: no logging timestamp logging trap notification logging host inside <IP Address of AlienVault Sensor> Press Ctrl + Z to exit config mode. Save the configuration changes: copy running-config startup-config

Page 1 of 4

AlienVault Data Source Integration Procedure For: Cisco ASA

Configuring AlienVault to Receive Logs from Cisco ASA
Devices that send log data via Syslog require configuration of the Syslog service to process those incoming logs into a unique file destination.

Open the Console on the Alienvault Appliance, or log in over Secure Shell (SSH) as the root user Select and accept the Jailbreak This Appliance option to gain command line access. Create a new configuration file to save incoming ASA logs: nano w /etc/rsyslog.d/cisco-asa.conf Add the following line to the file, one for each Cisco ASA device you are sending logs from if ($fromhost-ip == 'IP Address of ASA') then /var/log/cisco-asa.log end the file with this line: & ~ Press Ctrl-W to save the file, Ctrl-X to exit the editor Restart the Syslog Collector /etc/init.d/rsyslog restart

Page 2 of 4

AlienVault Data Source Integration Procedure For: Cisco ASA

Configuring Log File Expiration
Incoming logs will be processed by the Sensor and passed on to the SIEM Service. Keeping the raw log files on the sensor for more than a few days Is unnecessary and they should be purged to maintain adequate free filesystem capacity.

Create a new log rotation configuration file nano w /etc/logrotate.d/cisco-asa Add the follows content to the file: /var/log/cisco-asa.log { rotate 4 # save 4 days of logs daily # rotate files daily missingok notifempty compress delaycompress sharedscripts postrotate invoke-rc.d rsyslog reload > /dev/null endscript }

Page 3 of 4

AlienVault Data Source Integration Procedure For: Cisco ASA

Configuring SIEM SIEM Log Processing
The final stage is to enable the Sensor Agent to process the incoming log files into normalized SIEM events. This is achieved by enabling a data source plugin on the sensor.

Re-enter the Console Configuration Client alienvault-setup Navigate to Configure Sensor and then to Select Data Sources Scroll down the list of data sources, press space to activate the cisco-asa plugin Select OK, and back out to the top-level menu Select Apply Changes A summary of the changes to be made will be displayed, and the sensor reconfigured.

Log Collection and processing is now configured and active.

Debugging Connection from Cisco ASA to AlienVault

If new logs are being generated by the source device, yet not appearing in the Alienvault SIEM Events UI (for example, the device is not listed as an available data source); the following steps will assist in isolated at which stage of processing the logs are reaching before failure.

Log Events should begin to appear in the Web UI under Analysis -> Security Events (SIEM) If they do not, first validate that you are receiving syslog packets from the source device tcpdump -i eth0 -v -w /dev/null src <IP Address> and port 514 (the count of captured packets should indicate logs being sent) Press Ctrl-C to exit this tool when finished Restart the Syslog Collector and the Sensor agent /etc/init.d/rsyslog restart /etc/init.d/ossim-agent restart Search for any errors regarding the plugin in the Agent Logs cat /var/log/ossim/agent* | grep plugin_id=1636

Page 4 of 4