...
The tags beginning with vpn.cisco identify log events generated by the following Cisco technologies:
...
Cisco ASA
...
Cisco Firepower Threat Defense
...
Cisco Firepower Management Central
...
Cisco PIX
...
Cisco Firewall Services Module
.
Valid tags and data tables
The full tag must have two 4 levels. The first two are fixed asvpn.cisco. The third level identifies the product and the fourth is the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
Cisco ASA |
AnyConnect |
|
| ||
|
| |||
Cisco FTD AnyConnect |
|
|
For more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
| Anchor | ||||||
|---|---|---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
host |
| vhost | |
logType |
|
| |
Severity |
|
int
| |
EventID |
int
|
| ||
Group |
|
| |
User |
|
| |
srcIP |
ip
|
| ||
srcIPV6 |
|
| |
srcPort |
int
|
| |
dstIP |
ip
|
| |
dstPort |
int
|
| ||
interface |
|
| |
clientType |
|
| |
ipv4Address |
ip
|
| ||
ipv6Address |
|
| |
SessionType |
|
| |
Duration |
|
| |
BytesXmt |
int
|
| |
BytesRcv |
int
|
| ||
Reason |
|
| |
svcMessage |
|
| |
svcMessageCode |
|
| |
Type |
|
| |
error |
|
| |
message |
|
|
hostchain |
|
|
str✓ | |||
tag |
|
| ✓ |
rawMessage |
|
rawSource |
| Anchor |
|---|
...
|
...
|
...
|
Cisco Firewall Configuration
The Cisco firewall can be configured to report its logs to a remote syslog server, in this case, the Devo relay. To configure this using Cisco's Adaptive Security Device Manager (ASDM), follow the vendor instructions.
In order to get all your events in your Devo domain, you must add the hostname to your syslog events by executing the following command:
| Code Block |
|---|
ciscoasa(config)# logging device-id hostname |
Learn more about this process here.
Devo relay rules
You will need to define relay rules that can correctly identify the event type and apply the corresponding tag.
We'll use mostly type-2 relay rules that apply a fixed tag based upon specific data contained in the inbound event and all rules are defined on the same port. In this example, we're using port 13007, but you can use any free port on your relay. The last rule is a type-1 rule and applies the firewall.cisco.asa tag to any event that didn't match the previous rules.
These instructions cover all of the event types and the order is important. Even if you are only sending some of the Cisco firewall event types to Devo, be sure to follow the same order.
Rule 1: Cisco Firepower Threat Defense events
Source port → 13007
Source data → %FTD-
Target tag →
firewall.cisco.ftdSelect the Stop processing and Sent without syslog tag checkboxes
Rule 2: Cisco Firepower Management Central events
Source port → 13007
Source data → FMC
Target tag →
firewall.cisco.fmcSelect the Stop processing and Sent without syslog tag checkboxes
Rule 3: Cisco Firewall Services Module events
Source port → 13007
Source data → %FWSM-
Target tag →
firewall.cisco.fwsmSelect the Stop processing and Sent without syslog tag checkboxes
Rule 4: Cisco PIX events
Source port → 13007
Source data → %PIX-
Target tag →
firewall.cisco.pixSelect the Stop processing and Sent without syslog tag checkboxes
Rule 5: Cisco ASA VPN events
This rule must precede the Cisco ASA rule. The regex in the Source Data field identifies all event codes associated with the VPN.
Source port → 13007
Source data → ASA-[0-9]+-(?:722010|722036|113039|716059|722012|716058|716002|722033|722034|722037|722023|722028|722032|722051|722055|722022|722041)
Target tag →
vpn.cisco.asa.anyconnectSelect the Stop processing and Sent without syslog tag checkboxes
Rule 6: Cisco ASA events
All events received on this port that did not match any of the previous rules will be assigned the firewall.cisco.asa tag.
Source port → 13007
Target tag →
firewall.cisco.asaSelect the Stop processing and Sent without syslog tag checkboxes
Firepower through eStreamer eNcore CLI
Tag structure
This technology uses a single tag to support all the Firepower Management Center events. The tag is simply firewall.cisco.fmc_estreamer and the associated events are saved in Devo in a table of the same name.
For more information, read more about Devo tags.
eStreamer eNcore CLI Configuration
The eStreamer eNcore CLI can be configured to report its logs to a remote syslog server, in this case, the Devo relay. Note that you must select JSON as the output.
To configure it, follow the vendor instructions.
Devo relay rule
You will need to define a relay rule that can correctly identify these events and apply the corresponding tag.
We'll use a rule that applies a fixed tag based upon this data arriving at a defined port, in this case, 13011, but you can use any free port on your relay.
Source port → 13011
Target tag →
firewall.cisco.fmc_estreamerSelect the Stop processing checkbox
Related articles
...
...
...
|
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
host |
| vhost | |
logType |
|
| |
Severity |
|
| |
EventID |
|
| |
Group |
|
| |
User |
|
| |
srcIP |
|
| |
srcIPV6 |
|
| |
srcPort |
|
| |
dstIP |
|
| |
dstPort |
|
| |
interface |
|
| |
clientType |
|
| |
ipv4Address |
|
| |
ipv6Address |
|
| |
SessionType |
|
| |
Duration |
|
| |
BytesXmt |
|
| |
BytesRcv |
|
| |
Reason |
|
| |
svcMessage |
|
| |
svcMessageCode |
|
| |
Type |
|
| |
error |
|
| |
message |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
| rawSource |