-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connector Cisco ASA/FTD via AMA does not work #7681
Comments
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
1 similar comment
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
Hi @DonadoJuan, we are looking into this will update you shortly, thanks! |
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
@v-vdixit any updates on this issue? we are working on a big MDR project which depends heavily on this connector. |
Hi @DonadoJuan our team is analyzing this issue and we will need a little more time to resolve and update this, thanks! |
Hi @DonadoJuan We have raised this issue with the data collection team, waiting to hear back from them, will provide you resolution shortly, thanks! |
Just wanted to add note that we're also seeing this issue with Cisco ASAs and performed a lot of troubleshooting with a client's rsyslog configuration before stumbling upon this open github issue. |
@DonadoJuan Could you please help us with the details of the DCR that you're using for this, thanks! |
@v-vdixit sure thing!
|
Hi @DonadoJuan to get the ASA messages into the CommonSecurityLog table, the DCR needs to be edited and indicate "Microsoft-CiscoAsa" as the stream, please check if this value is updated or not, thanks! |
@v-vdixit Thank you! that solved the issue. Could we get the documentation updated with this information? I was not aware of the existence of stream |
Hi @DonadoJuan, we will work on updating the solution at the earliest, thanks for your confirmation on issue resolution, closing this issue. |
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
Hi @v-vdixit, |
Describe the bug
Connector Cisco ASA/FTD via AMA does not work. Also, the documentation seems to be incomplete. When sending mock Cisco ASA logs the parsing and redirection to
CommonSecurityLog
table is not done. Instead the logs are stored withinSyslog
table.To Reproduce
Steps to reproduce the behavior:
Set up log forwarder VM and data collection rule for AMA as described in the official documentation.
Run the following command in the log forwarder VM to send a mock Cisco ASA log to Log analytic workspace.
echo -n "<164>%ASA-1-1234567: AAA user authentication Rejected : reason = AAA failure : server = 10.51.53.59 : user = : user IP = 149.18.29.21899999999" | nc -u -w0 localhost 514
Syslog
table instead ofCommonSecurityLog
tableExpected behavior
The Cisco ASA logs ingested via AMA should be parsed and stored in
CommonSecurityLog
table.The text was updated successfully, but these errors were encountered: