Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining Graylog Illuminate.

The Cisco ASA (Adaptive Security Appliances) is a multipurpose firewall appliance from Cisco and is usually used for packet filtering purposes, but it supports many additional features, such as stateful filtering, application inspection, NAT, DHCP, routing, VPN, etc. This technology pack will process Cisco ASA logs, providing normalization and enrichment of common events of interest.

Supported Version(s)

  • Up to version 9.x

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Cisco Device Messages ”

Requirements

  • Configure CISCO ASA device(s) to transmit Syslog to your Graylog server Syslog input (see official Configure Adaptive Security Appliance (ASA) Syslog documentation).

  • Graylog raw/syslog input (ASAs syslog format may be rejected by Graylog due to a non-RFC compliant format. Configure a RFC 5424 output to use a graylog syslog input. Alternatively, send the logs to a raw Graylog input).

  • Graylog Server with a valid enterprise license, running Graylog version 5.0.3 or later.

Index Set Configuration

This technology pack includes one index set definition:

  • “Cisco Devices Event Log Messages”

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

`%ASA-6-305011: Built dynamic TCP translation from DL_172_16:192.168.10.10/1234 to L3_Internet:10.10.10.10/1234Jul 13 2021 14:13:19: %ASA-6-302014: Teardown TCP connection 8065 for inside:10.10.0.100/50511 to identity:172.10.124.136/51311 duration 0:00:00 bytes 422 TCP Reset-I`

Note

  • ASAs IP to hostname feature is not fully supported.

  • Graylog Illuminate does not support network interface names with spaces.

What is Provided

  • Parsing rules to extract Cisco ASA logs into Graylog schema compatible fields.

  • Two dashboards.

  • One overview dashboard with 4 tabs. These tabs are ASA Overview, Network, Device Authentication, High Priority Messages.

            

  • One dashboard for IDS/IPS messages. To get these messages, Cisco ASA may require a specific license.

    ASA Message Processing

    The Illuminate processing of ASA Firewall log messages provides the following:

    • Field extraction, normalization and message enrichment for SFOS log messages.

    • GIM Categorization of the following messages:

      Cisco Event Code GIM Event Type Code GIM Event Type
      106002 129999 Network Message
      106100 120000 Network Connection
      106102 120000 Network Connection
      106103 120000 Network Connection
      106001 120000 Network Connection
      106006 120000 Network Connection
      106007 120000 Network Connection
      106015 120000 Network Connection
      106016 170001 Network Alert
      106017 170001 Network Alert
      106018 129999 Network Message
      110002 120000 Network Connection
      110003 120100 Network Routing
      113008 109999 Authentication Message
      113012 109999 Authentication Message
      113021 100000 Logon
      113006 100000 Logon
      113007 100000 Logon
      302013 120200 Network Connection Initiated
      302014 120300 Network Connection Initiated
      302015 120200 Network Connection Initiated
      302016 120300 Network Connection Initiated
      302018 120300 Network Connection Initiated
      302022 120200 Network Connection Initiated
      302023 120300 Network Connection Initiated
      302024 120200 Network Connection Initiated
      302025 120300 Network Connection Initiated
      302026 120200 Network Connection Initiated
      302027 120300 Network Connection Initiated
      302036 120300 Network Connection Initiated
      302303 120200 Network Connection Initiated
      302304 120300 Network Connection Initiated
      302306 120300 Network Connection Initiated
      313004 129999 Network Message
      338001 179999 Alert Message
      338002 179999 Alert Message
      338003 179999 Alert Message
      338004 179999 Alert Message
      338005 179999 Alert Message
      338006 179999 Alert Message
      338007 179999 Alert Message
      338008 179999 Alert Message
      338201 179999 Alert Message
      338202 179999 Alert Message
      338203 179999 Alert Message
      338204 179999 Alert Message
      400000 170001 Alert Message
      400001 170001 Alert Message
      400002 170001 Alert Message
      400003 170001 Alert Message
      400004 170001 Alert Message
      400005 170001 Alert Message
      400006 170001 Alert Message
      400010 170001 Alert Message
      400011 170001 Alert Message
      400012 170001 Alert Message
      400013 170001 Alert Message
      400014 170001 Alert Message
      400015 170001 Alert Message
      400016 170001 Alert Message
      400017 170001 Alert Message
      400018 170001 Alert Message
      400019 170001 Alert Message
      400020 170001 Alert Message
      400021 170001 Alert Message
      400022 170001 Alert Message
      400034 170001 Alert Message
      400035 170001 Alert Message
      400036 170001 Alert Message
      400037 170001 Alert Message
      400038 170001 Alert Message
      400039 170001 Alert Message
      400040 170001 Alert Message
      400042 170001 Alert Message
      400043 170001 Alert Message
      400044 170001 Alert Message
      400045 170001 Alert Message
      400046 170001 Alert Message
      400047 170001 Alert Message
      400048 170001 Alert Message
      400049 170001 Alert Message
      400007 170001 Alert Message
      400008 170001 Alert Message
      400009 170001 Alert Message
      400023 170001 Alert Message
      400024 170001 Alert Message
      400025 170001 Alert Message
      400026 170001 Alert Message
      400027 170001 Alert Message
      400028 170001 Alert Message
      400029 170001 Alert Message
      400030 170001 Alert Message
      400031 170001 Alert Message
      400032 170001 Alert Message
      400033 170001 Alert Message
      400041 170001 Alert Message
      400050 170001 Alert Message
      410002 120000 Network Connection
      421001 120000 Network Connection
      500005 120000 Network Connection
      502101 110000 Account Created
      502102 110500 Account Locked
      507003 120000 Network Connection
      604103 299999 DHCP Default Event
      605004 100000 Logon
      605005 100000 Logon
      606001 100000 Logon
      606002 100000 Logon
      606003 100000 Logon
      606004 100000 Logon
      611101 100500 Credential Validation
      611102 100500 Credential Validation
      611103 102500 Logoff
      710002 120000 Network Connection
      710003 120000 Network Connection
      710005 120000 Network Connection
      710006 129999 Network Connection
      772003 100000 Logon
      772004 100000 Logon
      772005 100000 Logon
      772006 100000 Logon
      815002 120000 Network Connection

    Supported Event IDs

    106001 | 106002 | 106006 | 106007 | 106010 | 106012 | 106013 | 106014 | 106016 | 106017 | 106018 | 106021 | 106023 | 106100 | 106101 | 106102 | 106103 | 109005 | 109006 | 109007 | 109008| 109024 | 109025 | 110002 | 110003 | 111007 | 111008 | 111009 | 111010 | 113003 | 113004 | 113005 | 113006 | 113007 | 113008 | 113009 | 113011 | 113012 | 113019 | 113021 | 113022 | 113023| 113029 | 113030 | 113031 | 113032 | 113033 | 113034 | 113035 | 113036 | 113038 | 113039 | 199020 | 199021 |

    201002 | 201003 | 201004 | 201005 | 201006 | 201009 | 201010 | 201011 | 201012 | 201013 | 202010 | 209003 | 209004 | 209005 | 216001 |

    302010 | 302013 | 302014 | 302015 | 302016 | 302018 | 302020 | 302021 | 302022 | 302023 | 302024 | 302025 | 302026 | 302027 | 302036 | 302304 | 302305 | 302306 | 303002 | 304001 | 304002| 304003 | 304004 | 304005 | 304006 | 304007 | 305005 | 305006 | 305011 | 305012 | 305019 | 305020 | 308001 | 313001 | 313004 | 313005 | 313008 | 313009 | 316001 | 318001 | 318101 | 321005| 321006 | 322002 | 322003 | 325001 | 325002 | 326013 | 331001 | 331002 |

    400010 | 400014 | 400011 | 400014 | 405001 | 410001 | 401002 | 401003 | 401004 | 401005 | 405002 | 407001 | 407002 | 410002 | 414001 | 415007 | 415008 | 415009 | 415010 | 415011 | 415012| 415013 | 415014 | 418001 | 419002 | 419005 | 419006 | 420002 | 420003 | 421001 | 421002 | 421007 | 429002 | 429003 | 434002 | 434003 |

    500001 | 500002 | 500004 | 500005 | 502101 | 502102 | 502103 | 502111 | 502112 | 507003 |

    602303 | 602304 | 602305 | 604101 | 604102 | 604103 | 604104 | 604105 | 604201 | 604202 | 604203 | 604204 | 604205 | 604206 | 604207 | 604208 | 605005 | 606001 | 606002 | 606003 | 606004| 607001 | 608001 | 608002 | 608003 | 608004 | 608005 | 609001 | 609002 | 602101 | 611101 | 611102 | 611103 | 611301 | 611303 | 613004 | 620001 |

    710002 | 710005 | 710003 | 710006 | 713041 | 713042 | 713049 | 713050 | 713120 | 713172 | 713201 | 713230 | 713231 | 713257 | 713903 | 713904 | 713905 | 716001 | 716002 | 716055 | 716056| 716057 | 716058 | 716059 | 716060 | 716500 | 716501 | 716502 | 716503 | 716504 | 716505 | 716506 | 716508 | 716509 | 716510 | 716512 | 716513 | 716515 | 716516 | 716517 | 716518 | 716519| 716520 | 716521 | 716522 | 721001 | 721002 | 721003 | 721004 | 721005 | 721006 | 721007 | 721008 | 721009 | 721010 | 721011 | 721012 | 721013 | 721014 | 721015 | 721016 | 721017 | 721018| 721019 | 722004 | 722005 | 722006 | 722007 | 722008 | 722009 | 722010 | 722011 | 722012 | 722013 | 722014 | 722021 | 722022 | 722023 | 722026 | 722027 | 722028 | 722032 | 722033 | 722034| 722037 | 722038 | 722042 | 722043 | 722044 | 722046 | 722047 | 722048 | 722049 | 722050 | 722051 | 725002 | 725001 | 725003 | 725007 | 725016 | 733100 | 737001 | 737002 | 737003 | 737004| 737005 | 737006 | 737007 | 737008 | 737009 | 737010 | 737011 | 737012 | 737013 | 737014 | 737015 | 737016 | 737017 | 737018 | 737019 | 737023 | 737024 | 737025 | 737027 | 737028 | 737029| 737030 | 737031 | 737032 | 737033 | 737034 | 737035 | 737036 | 737038 | 746014 | 746015 | 746016 | 750001 | 750002 | 750003 | 750004 | 750005 | 750006 | 750007 | 750008 | 750009 | 750010| 750014 | 750015 | 750016 | 751001 | 751002 | 751003 | 751004 | 751005 | 751006 | 751007 | 751008 | 751009 | 751010 | 751011 | 751012 | 751013 | 751014 | 751015 | 751016 | 751017 | 751019| 751020 | 751021 | 751022 | 751023 | 751024 | 751025 | 751026 | 751027 | 751028 | 752002 | 752003 | 752004 | 752005 | 752006 | 752007 | 752010 | 752012 | 752013 | 752014 | 752015 | 752016| 768001 | 768002 | 768003 | 768004 | 769001 | 769002 | 769003 | 769004 | 769005 | 769006 | 769007 | 769008 | 769009 | 772002 | 772003 | 772004 | 772005 | 772006 | 775001 | 775003 | 775004| 775005 | 779003 | 779004 | 779005 | 779006 | 779007 |

    805001 | 805002 | 805003 | 812002 |

    Basic Support for CTS SXP Event IDs (application_name and vendor_event_description)

    338001 | 338002 | 338003 | 338004 | 338005 | 338006 | 338007 | 338008 | 338101 | 338102 | 338103 | 338104 | 338201 | 338202 | 338203 | 338204|

    776001 | 776002 | 776003 | 776004 | 776005 | 776006 | 776007 | 776008 | 776009 | 776010 | 776011 | 776012 | 776013 | 776014 | 776015 | 776016 | 776017 | 776018 | 776019 | 776020|