Network Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Network Logs

      Cisco ASA (syslog)

      Configure Cisco ASA for syslog forwarding to Radiant Security.

      Summary

      Cisco ASA is an enterprise class firewall solution that provides control over connections coming in and out the network by using access control lists (ACLs). Cisco ASA also offers additional security features like IPS and VPN, which also generates helpful alerts and events that can be used to enrich detections and analysis.

      In this guide, you’ll complete the following steps:

      Prerequisites

      The ASDM and CLI user should have Admin privileges (privilege 15).

       

      Add the data connector in Radiant Security
      1.   Log in to Radiant Security.
      		  
      2.   From the navigation menu, click Settings > Data Connectors and click + Add Connector.
      3.   Search for and select Cisco ASA option and then click Data Feeds. Captura de Tela 2024-03-03 às 16.42.52
      4.   Select the Cisco ASA data feed and then click Credentials. Captura de Tela 2024-03-03 às 16.42.57
      5.   Under Credential Name, give the credential an identifiable name (e.g. Cisco ASA - Token). If you already have a credential in place, select it from the drop-down menu. Click Add Connector.
      6.   In the Connector tag field, enter a random value. This value will act as the salt to randomize the Token you’ll download in the next step. Captura de Tela 2024-03-03 às 16.43.33
      7.   Click Add Connector.  
      8. Copy and save the Token value using the clipboard option or downloading the Token file. Download the SSL certificate, as you will need it when configuring the syslog source (Cisco ASA) in the next section. Captura de Tela 2024-03-03 às 16.43.46
      9. Click Done to save your changes.  

      Licenses

      No additional license is required to forward syslog events, but an additional license is required to activate the IPS module.

      Untitled (15)

      Untitled (16)

      Import a digital certificate via Cisco ASDM

      In this step, you will upload the Radiant Security certificate via Cisco Adaptive Security Device Manager (ASDM).

      1. Log into the Cisco ASDM.
      2. Navigate to Configuration > Device Management > Certificate Management > CA Certificates.
      3. Click Add.
      4. On the Install Certificate pane, fill in the following details:
        1. Trustpoint Name: Radiant-Security-Syslog
        2. Select either Install from a file to import the .PEM file, or select Paste certificate in PEM format to paste the encoded certificate into the text box.
      5. Click Install Certificate.
      6. Click OK.
        Untitled (17)

      Import a digital certificate via CLI

      Optionally, you can choose to import the Radiant Security certificate via CLI on the Cisco ASA.

      1. Log into the Cisco ASA CLI.
      2. Enter enable to access privileged mode.
      3. Enter conf t to access the configuration mode.
      4. Create a new Trustpoint by entering: crypto ca trustpoint radiant-security-syslog
      5. Enter exit to exit the Trustpoint configuration.
      6. Copy the base64 encoded certificate provided by Radiant Security.
      7. Import the CA Certificate by entering: crypto ca authenticate radiant-security-syslog
      8. Paste the encoded digital certificate into the terminal.
      9. On the last line of the certificate's text, hit Enter to skip a line and then type quit.
      10. Enter yes to accept the certificate.
        Untitled (18)
      11. Enter exit to exit the configuration mode.
      12. Enter write mem to save the configuration.

      Forward syslog events

      Before you begin, it's important to have security features enabled and properly configured to generate detections and block malicious behavior on the network. Here's a list of the security features and how to check their status:

      1. Log into the Cisco ASA device CLI.
      2. Enter enable to access privileged mode.
      3. Enter conf t to access the configuration mode.
      4. Enter logging enable to enable logging.
      5. Enable the timestamp field by entering: logging timestamp rfc5424
      6. Setup the firewall to include the Token provided by Radiant during the connector setup (substitute <TOKEN> by the token generated for you at connector creation): logging device-id string <TOKEN>
      7. Enable the username field by entering: no logging hide username
      8. Enable the device to keep receiving connections if the syslog connection is down: logging permit-hostdown
      9. Set the firewall to use IP addresses instead of object names with: no names
      10. Set the logging level to informational: logging trap informational
      11. Setup syslog forwarding by entering the following command: logging host {external_interface} primary.syslog.radiantsecurity.ai TCP/6514 secure
      12. Enter exit to the configuration.
      13. Enter write mem to save the configuration and write it to memory.

       

      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

       

      Last updated: 2024-08-23