The tags beginning with vpn.cisco
identify log events generated by the following Cisco technologies:
Cisco ASA
Cisco ASA VPN
Cisco Firepower Threat Defense
Cisco Firepower Management Central
Cisco PIX
Cisco Firewall Services Module
Valid tags and data tables
The full tag must have two levels. The first two are fixed as vpn.cisco
. The third level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Cisco ASA VPN |
|
|
For more information, read more about Devo tags.
Table structure
Field | Type | Extra fields |
---|---|---|
eventdate |
| |
host |
| |
Severity |
| |
EventID |
| |
Group |
| |
User |
| |
srcIP |
| |
srcPort |
| |
dstIP |
| |
dstPort |
| |
interface |
| |
clientType |
| |
ipv4Address |
| |
ipv6Address |
| |
SessionType |
| |
Duration |
| |
BytesXmt |
| |
BytesRcv |
| |
Reason |
| |
svcMessage |
| |
svcMessageCode |
| |
Type |
| |
error |
| |
message |
| |
rawMessage |
| |
hostchain |
| |
tag |
| ✓ |
raw |
| ✓ |
rawSource |
| ✓ |
Cisco Firewall Configuration
The Cisco firewall can be configured to report its logs to a remote syslog server, in this case, the Devo relay. To configure this using Cisco's Adaptive Security Device Manager (ASDM), follow the vendor instructions.
In order to get all your events in your Devo domain, you must add the hostname to your syslog events by executing the following command:
ciscoasa(config)# logging device-id hostname
Learn more about this process here.
Devo relay rules
You will need to define relay rules that can correctly identify the event type and apply the corresponding tag.
We'll use mostly type-2 relay rules that apply a fixed tag based upon specific data contained in the inbound event and all rules are defined on the same port. In this example, we're using port 13007, but you can use any free port on your relay. The last rule is a type-1 rule and applies the firewall.cisco.asa tag to any event that didn't match the previous rules.
These instructions cover all of the event types and the order is important. Even if you are only sending some of the Cisco firewall event types to Devo, be sure to follow the same order.
Rule 1: Cisco Firepower Threat Defense events
Source port → 13007
Source data → %FTD-
Target tag →
firewall.cisco.ftd
Select the Stop processing and Sent without syslog tag checkboxes
Rule 2: Cisco Firepower Management Central events
Source port → 13007
Source data → FMC
Target tag →
firewall.cisco.fmc
Select the Stop processing and Sent without syslog tag checkboxes
Rule 3: Cisco Firewall Services Module events
Source port → 13007
Source data → %FWSM-
Target tag →
firewall.cisco.fwsm
Select the Stop processing and Sent without syslog tag checkboxes
Rule 4: Cisco PIX events
Source port → 13007
Source data → %PIX-
Target tag →
firewall.cisco.pix
Select the Stop processing and Sent without syslog tag checkboxes
Rule 5: Cisco ASA VPN events
This rule must precede the Cisco ASA rule. The regex in the Source Data field identifies all event codes associated with the VPN.
Source port → 13007
Source data → ASA-[0-9]+-(?:722010|722036|113039|716059|722012|716058|716002|722033|722034|722037|722023|722028|722032|722051|722055|722022|722041)
Target tag →
vpn.cisco.asa.anyconnect
Select the Stop processing and Sent without syslog tag checkboxes
Rule 6: Cisco ASA events
All events received on this port that did not match any of the previous rules will be assigned the firewall.cisco.asa
tag.
Source port → 13007
Target tag →
firewall.cisco.asa
Select the Stop processing and Sent without syslog tag checkboxes
Firepower through eStreamer eNcore CLI
Tag structure
This technology uses a single tag to support all the Firepower Management Center events. The tag is simply firewall.cisco.fmc_estreamer
and the associated events are saved in Devo in a table of the same name.
For more information, read more about Devo tags.
eStreamer eNcore CLI Configuration
The eStreamer eNcore CLI can be configured to report its logs to a remote syslog server, in this case, the Devo relay. Note that you must select JSON as the output.
To configure it, follow the vendor instructions.
Devo relay rule
You will need to define a relay rule that can correctly identify these events and apply the corresponding tag.
We'll use a rule that applies a fixed tag based upon this data arriving at a defined port, in this case, 13011, but you can use any free port on your relay.
Source port → 13011
Target tag →
firewall.cisco.fmc_estreamer
Select the Stop processing checkbox