Cisco ASA Router configuration

Enable your Cisco ASA router to send logs to a remote server over TCP. As this isn't enabled by default you will need to enable it, you can follow the instructions here to do so.

Cisco Logs Instructions

To get started first follow the steps below:

• Install
• Root access
• Verify the required port is open

Older versions can be found here 7, 6, 5

deb/rpm /etc/filebeat/filebeat.yml
mac/win <EXTRACTED_ARCHIVE>/filebeat.yml

Now in the filebeat.inputs section of the config file. You need to enabe tcp input.

The host is the Filebeat server itself and the port is what you have chosen as the tcp port.

You can then apply additional configuration settings to add an extra field type to all logs that come through this input. This will help us indentify them easily in Elasticsearch/Kibana.

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: tcp
  host: "0.0.0.0:xxxx"
  fields: 
    type: cisco-asa

fields_under_root: true
encoding: utf-8
ignore_older: 3h

We need to ensure that any inputs we are using are enabled

filebeat.inputs:

- type: log
  enabled: false

Enable the filebeat input, so it should look like the following

filebeat.inputs:

- type: log
  enabled: true

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

No input available! Your stack is missing the required input for this data source Talk to support to add the input

If you have issues starting in the next step, you can use these commands below to troubleshoot.

Let's check the configuration file is syntactically correct by running directly inside the terminal. If the file is invalid, will print an error loading config file error message with details on how to correct the problem.

deb/rpm

sudo  -e -c /etc//.yml

macOS

cd <EXTRACTED_ARCHIVE>
sudo ./ -e -c .yml

Windows

cd <EXTRACTED_ARCHIVE>
.\.exe -e -c .yml

Start or restart to apply the configuration changes.

Now you should view your data:

Launch Dashboard

If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Cisco ASA (Adaptive Security Appliance) is a network security device that provides firewall, VPN, and other security services for enterprise networks. ASA devices are typically deployed at the edge of the network to protect it from external threats and to control access to internal resources.

ASA devices generate a variety of logs that record various events and activities on the network. These logs are used to monitor network security, troubleshoot issues, and identify security threats.

Here are some common types of logs generated by ASA devices:

System Logs: These logs record system-level events such as device startup, shutdown, and configuration changes.

Connection Logs: These logs record details about network connections such as source and destination IP addresses, protocols, and ports.

Access Logs: These logs record information about access attempts to the network, including login attempts and access requests.

Threat Logs: These logs record security-related events such as intrusion attempts, malware detections, and security policy violations.

VPN Logs: These logs record details about VPN connections such as user authentication, encryption, and tunneling.

ASA devices provide real-time visibility into network activity through the ASA dashboard, which can be used to search and filter logs based on various criteria such as time range, device, event type, and severity. The logs can also be exported for further analysis or integration with third-party tools. ASA devices can also be integrated with Cisco Security Manager (CSM) to provide centralized management and reporting for multiple ASA devices.