Skip to main content

Cisco: Adaptive Security Appliance

  • Updated

Cisco Adaptive Security Appliance (ASA) logs combine firewall, antivirus, intrusion prevention, and virtual private network (VPN) data. They provide information about proactive threat defense efforts that stop attacks before they spread through networks, both large and small. Cisco ASA software also integrates with other critical security technologies to deliver comprehensive solutions that meet continuously evolving security needs. This includes multi-site and multi-node clustering, high availability, context awareness, dynamic routing and site-to-site VPN, and unified communications.

Data visibility 

Cisco ASA provides data for the following devices and solutions: firewall, antivirus, antispam, intrusion detection, intrusion prevention, VPN devices, SSL devices, and content inspection. 

Data application

When your Splunk deployment is ingesting Cisco ASA logs, you can use the data to achieve the following objectives:

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Cisco ASA resources.

Data ingestion

If your deployment is not already ingesting Cisco ASA data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

The recommended index is netfw

The source types are cisco:asa, cisco:fwsm, and cisco:pix

The supported input types are var/log/rsyslog/cisco/asa/*.log.

In addition, you will need the Splunk Add-on for Cisco ASA. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Cisco ASA, and configure Splunk. 

Sizing estimate

The volume depends on the size of your ASA device. It can be +/- 10MB/day for a branch office to north of 50 GB/day for a main datacenter cluster. The following estimates are predicated on logging configuration of "level 6 (informational)."

  • Edge firewall: Negligible
  • Zone-based firewall: 230 bytes per event
  • VPN Services: 10 kb per session, plus firewall activity
  • Operational: Variable, but typically < 200 MB per day, per Cisco ASA

Using only Cisco's built-in tools, the show ip inspect statistics command will tell you how many connections there have been since last reset. So, one way of estimating event volume is to check that number at the same time on subsequent days and then calculate the number of connections you typically see per day. When multiplied by the general 230 byte number, you will get a reasonable expectation for data size.

Validation

After the daemon is restarted and traffic is sent to rsyslog, you should see this directory created: /var/logs/rsyslog/cisco/asa/

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.