The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

The Cisco ASA (Adaptive Security Appliances) is a multipurpose firewall appliance from Cisco and is usually used for packet filtering purposes, but it supports many additional features, such as stateful filtering, application inspection, NAT, DHCP, routing, VPN, etc. This technology pack will process Cisco ASA logs, providing normalization and enrichment of common events of interest. The content pack only supports the standard syslog template. Custom templates may not be supported.

Supported Version(s)

  • Up to version 9.x

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Cisco Device Messages ”

Requirements

  • Configure CISCO ASA device(s) to transmit Syslog to your Graylog server Syslog input (see official Configure Adaptive Security Appliance (ASA) Syslog documentation).

  • Graylog raw/syslog input (ASAs syslog format may be rejected by Graylog due to a non-RFC compliant format. Configure a RFC 5424 output to use a graylog syslog input. Alternatively, send the logs to a raw Graylog input).

  • Graylog Server with a valid enterprise license, running Graylog version 5.0.3 or later.

Index Set Configuration

This technology pack includes one index set definition:

  • “Cisco Devices Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

`%ASA-6-305011: Built dynamic TCP translation from DL_172_16:192.168.10.10/1234 to L3_Internet:10.10.10.10/1234Jul 13 2021 14:13:19: %ASA-6-302014: Teardown TCP connection 8065 for inside:10.10.0.100/50511 to identity:172.10.124.136/51311 duration 0:00:00 bytes 422 TCP Reset-I`

Note

  • ASAs IP to hostname feature is not fully supported.

  • Graylog Illuminate does not support network interface names with spaces.

What is Provided

  • Parsing rules to extract Cisco ASA logs into Graylog schema compatible fields.

  • Two dashboards.

  • One overview dashboard with 4 tabs. These tabs are ASA Overview, Network, Device Authentication, High Priority Messages.

            

  • One dashboard for IDS/IPS messages. To get these messages, Cisco ASA may require a specific license.

    ASA Message Processing

    The Illuminate processing of ASA Firewall log messages provides the following:

    • Field extraction, normalization and message enrichment for SFOS log messages.

    • GIM Categorization of the following messages:

      Cisco Event Code GIM Event Type Code GIM Event Type
      106002 129999 Network Message
      106100 120000 Network Connection
      106102 120000 Network Connection
      106103 120000 Network Connection
      106001 120000 Network Connection
      106006 120000 Network Connection
      106007 120000 Network Connection
      106015 120000 Network Connection
      106016 300001 Network Detection
      106017 300001 Network Detection
      106018 129999 Network Message
      110002 120000 Network Connection
      110003 120100 Network Routing
      113008 109999 Authentication Message
      113012 109999 Authentication Message
      113021 100000 Logon
      113006 100000 Logon
      113007 100000 Logon
      302013 120200 Network Connection Initiated
      302014 120300 Network Connection Initiated
      302015 120200 Network Connection Initiated
      302016 120300 Network Connection Initiated
      302018 120300 Network Connection Initiated
      302022 120200 Network Connection Initiated
      302023 120300 Network Connection Initiated
      302024 120200 Network Connection Initiated
      302025 120300 Network Connection Initiated
      302026 120200 Network Connection Initiated
      302027 120300 Network Connection Initiated
      302036 120300 Network Connection Initiated
      302303 120200 Network Connection Initiated
      302304 120300 Network Connection Initiated
      302306 120300 Network Connection Initiated
      313004 129999 Network Message
      338001 309999 Detection Message
      338002 309999 Detection Message
      338003 309999 Detection Message
      338004 309999 Detection Message
      338005 309999 Detection Message
      338006 309999 Detection Message
      338007 309999 Detection Message
      338008 309999 Detection Message
      338201 309999 Detection Message
      338202 309999 Detection Message
      338203 309999 Detection Message
      338204 309999 Detection Message
      400000 300001 Detection Message
      400001 300001 Detection Message
      400002 300001 Detection Message
      400003 300001 Detection Message
      400004 300001 Detection Message
      400005 300001 Detection Message
      400006 300001 Detection Message
      400010 300001 Detection Message
      400011 300001 Detection Message
      400012 300001 Detection Message
      400013 300001 Detection Message
      400014 300001 Detection Message
      400015 300001 Detection Message
      400016 300001 Detection Message
      400017 300001 Detection Message
      400018 300001 Detection Message
      400019 300001 Detection Message
      400020 300001 Detection Message
      400021 300001 Detection Message
      400022 300001 Detection Message
      400034 300001 Detection Message
      400035 300001 Detection Message
      400036 300001 Detection Message
      400037 300001 Detection Message
      400038 300001 Detection Message
      400039 300001 Detection Message
      400040 300001 Detection Message
      400042 300001 Detection Message
      400043 300001 Detection Message
      400044 300001 Detection Message
      400045 300001 Detection Message
      400046 300001 Detection Message
      400047 300001 Detection Message
      400048 300001 Detection Message
      400049 300001 Detection Message
      400007 300001 Detection Message
      400008 300001 Detection Message
      400009 300001 Detection Message
      400023 300001 Detection Message
      400024 300001 Detection Message
      400025 300001 Detection Message
      400026 300001 Detection Message
      400027 300001 Detection Message
      400028 300001 Detection Message
      400029 300001 Detection Message
      400030 300001 Detection Message
      400031 300001 Detection Message
      400032 300001 Detection Message
      400033 300001 Detection Message
      400041 300001 Detection Message
      400050 300001 Detection Message
      410002 120000 Network Connection
      421001 120000 Network Connection
      500005 120000 Network Connection
      502101 110000 Account Created
      502102 110500 Account Locked
      507003 120000 Network Connection
      604103 299999 DHCP Default Event
      605004 100000 Logon
      605005 100000 Logon
      606001 100000 Logon
      606002 100000 Logon
      606003 100000 Logon
      606004 100000 Logon
      611101 100500 Credential Validation
      611102 100500 Credential Validation
      611103 102500 Logoff
      710002 120000 Network Connection
      710003 120000 Network Connection
      710005 120000 Network Connection
      710006 129999 Network Connection
      772003 100000 Logon
      772004 100000 Logon
      772005 100000 Logon
      772006 100000 Logon
      815002 120000 Network Connection

    Supported Event IDs

    106001 | 106002 | 106006 | 106007 | 106010 | 106012 | 106013 | 106014 | 106016 | 106017 | 106018 | 106021 | 106023 | 106100 | 106101 | 106102 | 106103 | 109005 | 109006 | 109007 | 109008| 109024 | 109025 | 110002 | 110003 | 111007 | 111008 | 111009 | 111010 | 113003 | 113004 | 113005 | 113006 | 113007 | 113008 | 113009 | 113011 | 113012 | 113019 | 113021 | 113022 | 113023| 113029 | 113030 | 113031 | 113032 | 113033 | 113034 | 113035 | 113036 | 113038 | 113039 | 199020 | 199021 |

    201002 | 201003 | 201004 | 201005 | 201006 | 201009 | 201010 | 201011 | 201012 | 201013 | 202010 | 209003 | 209004 | 209005 | 216001 |

    302010 | 302013 | 302014 | 302015 | 302016 | 302018 | 302020 | 302021 | 302022 | 302023 | 302024 | 302025 | 302026 | 302027 | 302036 | 302304 | 302305 | 302306 | 303002 | 304001 | 304002| 304003 | 304004 | 304005 | 304006 | 304007 | 305005 | 305006 | 305011 | 305012 | 305019 | 305020 | 308001 | 313001 | 313004 | 313005 | 313008 | 313009 | 316001 | 318001 | 318101 | 321005| 321006 | 322002 | 322003 | 325001 | 325002 | 326013 | 331001 | 331002 |

    400010 | 400014 | 400011 | 400014 | 405001 | 410001 | 401002 | 401003 | 401004 | 401005 | 405002 | 407001 | 407002 | 410002 | 414001 | 415007 | 415008 | 415009 | 415010 | 415011 | 415012| 415013 | 415014 | 418001 | 419002 | 419005 | 419006 | 420002 | 420003 | 421001 | 421002 | 421007 | 429002 | 429003 | 434002 | 434003 |

    500001 | 500002 | 500004 | 500005 | 502101 | 502102 | 502103 | 502111 | 502112 | 507003 |

    602303 | 602304 | 602305 | 604101 | 604102 | 604103 | 604104 | 604105 | 604201 | 604202 | 604203 | 604204 | 604205 | 604206 | 604207 | 604208 | 605005 | 606001 | 606002 | 606003 | 606004| 607001 | 608001 | 608002 | 608003 | 608004 | 608005 | 609001 | 609002 | 602101 | 611101 | 611102 | 611103 | 611301 | 611303 | 613004 | 620001 |

    710002 | 710005 | 710003 | 710006 | 713041 | 713042 | 713049 | 713050 | 713120 | 713172 | 713201 | 713230 | 713231 | 713257 | 713903 | 713904 | 713905 | 716001 | 716002 | 716055 | 716056| 716057 | 716058 | 716059 | 716060 | 716500 | 716501 | 716502 | 716503 | 716504 | 716505 | 716506 | 716508 | 716509 | 716510 | 716512 | 716513 | 716515 | 716516 | 716517 | 716518 | 716519| 716520 | 716521 | 716522 | 721001 | 721002 | 721003 | 721004 | 721005 | 721006 | 721007 | 721008 | 721009 | 721010 | 721011 | 721012 | 721013 | 721014 | 721015 | 721016 | 721017 | 721018| 721019 | 722004 | 722005 | 722006 | 722007 | 722008 | 722009 | 722010 | 722011 | 722012 | 722013 | 722014 | 722021 | 722022 | 722023 | 722026 | 722027 | 722028 | 722032 | 722033 | 722034| 722037 | 722038 | 722042 | 722043 | 722044 | 722046 | 722047 | 722048 | 722049 | 722050 | 722051 | 725002 | 725001 | 725003 | 725007 | 725016 | 733100 | 737001 | 737002 | 737003 | 737004| 737005 | 737006 | 737007 | 737008 | 737009 | 737010 | 737011 | 737012 | 737013 | 737014 | 737015 | 737016 | 737017 | 737018 | 737019 | 737023 | 737024 | 737025 | 737027 | 737028 | 737029| 737030 | 737031 | 737032 | 737033 | 737034 | 737035 | 737036 | 737038 | 746014 | 746015 | 746016 | 750001 | 750002 | 750003 | 750004 | 750005 | 750006 | 750007 | 750008 | 750009 | 750010| 750014 | 750015 | 750016 | 751001 | 751002 | 751003 | 751004 | 751005 | 751006 | 751007 | 751008 | 751009 | 751010 | 751011 | 751012 | 751013 | 751014 | 751015 | 751016 | 751017 | 751019| 751020 | 751021 | 751022 | 751023 | 751024 | 751025 | 751026 | 751027 | 751028 | 752002 | 752003 | 752004 | 752005 | 752006 | 752007 | 752010 | 752012 | 752013 | 752014 | 752015 | 752016| 768001 | 768002 | 768003 | 768004 | 769001 | 769002 | 769003 | 769004 | 769005 | 769006 | 769007 | 769008 | 769009 | 772002 | 772003 | 772004 | 772005 | 772006 | 775001 | 775003 | 775004| 775005 | 779003 | 779004 | 779005 | 779006 | 779007 |

    805001 | 805002 | 805003 | 812002 |

    Basic Support for CTS SXP Event IDs (application_name and vendor_event_description)

    338001 | 338002 | 338003 | 338004 | 338005 | 338006 | 338007 | 338008 | 338101 | 338102 | 338103 | 338104 | 338201 | 338202 | 338203 | 338204|

    776001 | 776002 | 776003 | 776004 | 776005 | 776006 | 776007 | 776008 | 776009 | 776010 | 776011 | 776012 | 776013 | 776014 | 776015 | 776016 | 776017 | 776018 | 776019 | 776020|