Cisco ASA Configuration Guide

The guide is intended to assist the device administrators, while configuring their Cisco ASA Firewalls, to forward logs to SIEM Collector. This is push-based log collection method.

To configure Cisco ASA to forward syslog events:

Steps:

  1. Log in to the Cisco ASA device.
    Type the following command to access privileged EXEC mode:
    enable
  2. Type the following command to access global configuration mode: 
    conf t
  3. Enable logging: 
    logging enable
  4. Configure the logging details:
    logging console warning
    logging trap warning
    logging asdm warning
  5. Type the following command to configure logging to IBM® QRadar®:
    logging host <interface> <IP address>
    Where:
    <interface> is the name of the Cisco Adaptive Security Appliance interface.
    <IP address> is the IP address of QRadar
  6. Disable the output object name option:
    no names

    Disable the output object name option to ensure that the logs use IP addresses and not the object names.

  7. Configure to include hostname in syslog header:
    logging device-id hostname
  8. Configure to enable timestamp logging :
    logging timestamp rfc5424
  9. Exit the configuration:
    Exit
  10. Save the changes:
    Write mem