Cisco Syslog Configuration

Modified on Mon, 12 Aug at 8:17 AM

The ARIA™ Cybersecurity Solutions Advanced Detection and Remediation (ADR) platform integrates with Cisco® products that provide syslog entries. When configured, syslog records from the Cisco Adaptive Security Appliance (ASA) or the Private Internet eXchange (PIX) products are sent to the Control and Collections Engine (CCE). You can then configure the CCE to generate alerts when suspected activity occurs. This document provides the steps required to configure the Cisco appliances to send syslog records.

Two methods are available: through the user interface; or through the command-line interface.

TABLE OF CONTENTS

1. User Interface
2. Command-Line Interface

1. User Interface

To configure ASA or PIX with the user interface:

Log into the Cisco appliance.
Select Configure > Settings > Logging > Logging Setup.
Select the Enable logging setup and Enable logging failover check boxes.
Click Apply.
Changes are applied to the assigned firewall configuration files when they are generated. The configuration files are then downloaded to firewalls at deployment.
Select Configure > Settings > Logging > Syslog.
Check Include Timestamp.
Click Add to add a new row. The Add Syslog Server page opens.
Complete the following fields:
- Interface Name: Enter the firewall interface through which Firewall Analyzer can be reached. The interface can be either inside or outside.
- IP Address: Enter the IP address of the syslog server (CCE VM IP Address) to which logs should be sent.
- Protocol: Select UDP.
- Port: Enter the port the syslog server uses for listening. By default, this is 514.
Click Apply.
Select Configure > Settings > Logging > Other.
Under Console Level List, select Informational to ensure all report data is available.
Click Apply.

2. Command-Line Interface

To configure ASA or PIX using the command-line interface:

Telnet to the firewall and enter Enable mode.
Enter the following commands, pressing [ENTER] after each command.
configure terminal
logging on
logging timestamp
logging trap informational
Specify the device ID of the firewall using the logging device-id <id> command, where <id>is one of the the following:
- <context_name> is the name of the firewall context that will appear in the logs sent from the firewall.
- <host_name> is the firewall host name (defined with the hostname configuration command). In this case, the hostname will appear in the logs sent from the firewall.
- <ipaddress interface_name> is the IP address of a specific firewall interface named interface_name (e.g., “inside” or “outside”). In this case, the IP Address of the interface name will appear in the logs sent from the firewall.
- <string_text> is an arbitrary text string, up to 16 characters. In this case, the arbitrary text string entered in <string_text> will appear in the logs sent from the firewall.
  
  logging device-id {<context_name> | <host_name> | <ipaddress interface_name> | <string_text>}
Identify the syslog server that will receive the messages using the logging host command to specify the following:
- <interface_name> is the interface on the firewall whose logs need to be analyzed (e.g., “inside” or
  “outside”).
- <syslog_ip> is the IP address of the syslog server (CCE VM IP address) to which the ASA firewall
  should send the syslogs.
- 17/<syslog_port> indicates that logs will be sent using the UDP protocol to the configured syslog
  port on the syslog server. If left blank, the syslogs are sent through the default syslog port (UDP
  port 514). To use any other port, add 17/<syslog_port> (e.g., 17/1514).
  
  logging host <interface_name> <syslog_ip> [17/<syslog_port>]

For example, the following analyzes logs received on the inside of the firewall and sends them to a syslog server with an IP address of 11.23.4.56 across port 514. The firewall context used is DMZ.

configure terminal

logging on

logging timestamp

logging trap informational

logging device-id DMZ

logging host inside 11.23.4.56 17/514