- The Cisco firewall can be configured to report the logs to a remote syslog server.
- Among the configurable parameters you can specify destination port and tpc/udp protocol.
- Since you can't tag the log at the source, it is necessary to report the logs to an In-house Relay which will tag them correctly as firewall.cisco.fwtype and forward them to Devo.
- Besides the syslog logs, this kind of devices usually provide the ability to export statistics of the traffic that is managed by the machine through the NetFlow protocol.
- The element fwtype is fixed and it identifies the type and format of the event.
- It can only take the values asa and pyx, so the label is firewall.cisco.pix or firewall.cisco.asa
For more information on how tags work, check the Introduction to tags article.
Configuration from the administrative console:
Conf CISCO PIX/ASA
logging enable no logging timestamp logging trap 6 logging host IFACE_NAME DEVO-RELAY TCP/PORT logging permit-hostdown
- Replace IFACE_NAME with the name of the interface to be used by the firewall to connect with the In-house Relay.
- Replace DEVO-RELAY and PORT with the server and port of your Devo In-house Relay.
- To enable the machine name in the events machine field, execute:
logging device-id hostname
To configure the syslog sending through the administration graphic interface (SDM), follow the instructions from CISCO ASA Configure Syslog using ASDM.
- Go to Configuration → Device Management → Logging → Logging Setup and mark the Enable logging option.
- Go to Configuration → Device Management → Logging → Syslog Setup and disable the Include timestamps in syslogs check.
- Go to Configuration → Device Management → Logging → Syslog Servers and click on Add.
- On the Add Syslog Server window, introduce the relay configuration data (IFACE_NAME, DEVO-RELAY, TCP, PORT) as in the CLI configuration.
- Once configured the syslog server, check Allow user traffic to pass when TCP syslog server is down box. This option does not block the firewall in case of any TCP connection problem with the relay.
- Go to Configuration → Device Management → Logging → Logging Filters and select the corresponding Syslog server and click on Edit.
- Change the value from Filter on severity to Information and click Ok.