- Install and configure the OMS Agent for Linux as described here:
-
Configure Syslog forwarding of Cisco ASA events to the OMS Linux agent machine.
-
Place the following configuration files on the OMS Agent machine:
- security_events.conf
Fluentd configuration file to enable collection and parsing of Cisco events
Path on Agent machine:/etc/opt/microsoft/omsagent/conf/omsagent.d/
- security_events.conf
- filter_syslog_security.rb
security_lib.rb
Fluentd filter plugin that parses the Cisco events
Path on Agent machine:/opt/microsoft/omsagent/plugin/
-
Configure Cisco ASA event forwarding to the OMS Agent
Below is an example configuration for forwarding all events from the local4 facility. You can modify the configuration to fit your local settings.
If the agent machine has an rsyslog daemon:
In directory/etc/rsyslog.d/
, create new filecisco-config-omsagent.conf
with the following content:#OMS_facility = local4 local4.debug @127.0.0.1:25225
If the agent machine has a syslog-ng daemon:
In directory/etc/syslog-ng/
, create new filecisco-config-omsagent.conf
with the following content:#OMS_facility = local4 filter f_local4_oms { facility(local4); }; destination cisco_oms { tcp("127.0.0.1" port(25225)); }; log { source(src); filter(f_local4_oms); destination(cisco_oms); };
-
Restart the syslog daemon:
sudo service rsyslog restart
orsystemctl restart omsagent
-
Restart the OMS agent:
sudo service omsagent restart
or/etc/init.d/syslog-ng restart
-
Confirm that there are no errors in the OMS Agent log:
tail /var/opt/microsoft/omsagent/log/omsagent.log