Cisco ASA (syslog)
Configure Cisco ASA for syslog forwarding to Radiant Security.
In this guide, you'll configure Cisco ASA to send alerts and events to Radiant Security. Cisco ASA is an enterprise-grade firewall that uses access control lists (ACLs) to manage network traffic and includes features like IPS and VPN, which generate valuable security data for detection and analysis.
Prerequisites
Add the data connector in Radiant Security
Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors and click + Add Connector.
Search for and select the Cisco ASA option and then click Data Feeds.
Under Select your data feeds, select Cisco ASA and click Credentials.
Under Credential Name, give the credential an identifiable name (e.g.
Cisco ASA - Token). If you already have a credential in place, select it from the drop-down menu. Click Add Connector.In the Connector tag field, enter a random value. This value will act as the salt to randomize the Token you’ll download in the next step.
Click Add Connector.
Copy and save the Token value using the clipboard option or downloading the Token file. Download the SSL certificate, as you will need it when configuring the syslog source (Cisco ASA) in the next section.
Click Done to save your changes.
Licenses
No additional license is required to forward syslog events, but an additional license is required to activate the IPS module.
Import a digital certificate via Cisco ASDM
In this step, you will upload the Radiant Security certificate via Cisco Adaptive Security Device Manager (ASDM).
Log into the Cisco ASDM.
Navigate to Configuration > Device Management > Certificate Management > CA Certificates.
Click Add.
On the Install Certificate pane, fill in the following details:
Trustpoint Name:
Radiant-Security-SyslogSelect either Install from a file to import the .PEM file, or select Paste certificate in PEM format to paste the encoded certificate into the text box.
Click Install Certificate.
Click OK.
Import a digital certificate via CLI
Optionally, you can choose to import the Radiant Security certificate via CLI on the Cisco ASA.
Log into the Cisco ASA CLI.
Enter
enableto access privileged mode.Enter
conf tto access the configuration mode.Create a new Trustpoint by entering:
crypto ca trustpoint radiant-security-syslogEnter
exitto exit the Trustpoint configuration.Copy the base64 encoded certificate provided by Radiant Security.
Import the CA Certificate by entering:
crypto ca authenticate radiant-security-syslogPaste the encoded digital certificate into the terminal.
On the last line of the certificate's text, hit Enter to skip a line and then type
quit.Enter
yesto accept the certificate.
Enter
exitto exit the configuration mode.Enter
write memto save the configuration.
Forward syslog events
Before you begin, it's important to have security features enabled and properly configured to generate detections and block malicious behavior on the network. Here's a list of the security features and how to check their status:
Threat Detection
Log into the Cisco ASA device CLI.
Enter
enableto access privileged mode.Enter
conf tto access the configuration mode.Enter
logging enableto enable logging.Enable the timestamp field by entering:
logging timestamp rfc5424Setup the firewall to include the Token provided by Radiant during the connector setup (substitute <TOKEN> by the token generated for you at connector creation):
logging device-id string <TOKEN>Enable the username field by entering:
no logging hide usernameEnable the device to keep receiving connections if the syslog connection is down:
logging permit-hostdownSet the firewall to use IP addresses instead of object names with:
no namesSet the logging level to informational:
logging trap informationalSetup syslog forwarding by entering the following command:
/logging host {external_interface} cluster.syslog.radiantsecurity.ai TCP/6514 secureEnter
exitto the configuration.Enter
write memto save the configuration and write it to memory.
Last updated