Cisco Adaptive Security Appliance (ASA) logs combine firewall, antivirus, intrusion prevention, and virtual private network (VPN) data. They provide information about proactive threat defense efforts that stop attacks before they spread through networks, both large and small. Cisco ASA software also integrates with other critical security technologies to deliver comprehensive solutions that meet continuously evolving security needs. This includes multi-site and multi-node clustering, high availability, context awareness, dynamic routing and site-to-site VPN, and unified communications.
Cisco ASA provides data for the following devices and solutions: firewall, antivirus, antispam, intrusion detection, intrusion prevention, VPN devices, SSL devices, and content inspection.
When your Splunk deployment is ingesting Cisco ASA logs, you can use the data to achieve the following objectives:
- Detecting the use of randomization in cyberattacks
- Monitoring for signs of Windows privilege escalation attacks
- Recognizing improper use of system administration tools
- Investigating a ransomware attack
- Reconstructing a website defacement
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Cisco ASA resources.
If your deployment is not already ingesting Cisco ASA data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The recommended index is netfw.
The source types are cisco:asa, cisco:fwsm, and cisco:pix.
The supported input types are var/log/rsyslog/cisco/asa/*.log.
In addition, you will need the Splunk Add-on for Cisco ASA. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Cisco ASA, and configure Splunk.
The volume depends on the size of your ASA device. It can be +/- 10MB/day for a branch office to north of 50 GB/day for a main datacenter cluster. The following estimates are predicated on logging configuration of "level 6 (informational)."
- Edge firewall: Negligible
- Zone-based firewall: 230 bytes per event
- VPN Services: 10 kb per session, plus firewall activity
- Operational: Variable, but typically < 200 MB per day, per Cisco ASA
Using only Cisco's built-in tools, the show ip inspect statistics command will tell you how many connections there have been since last reset. So, one way of estimating event volume is to check that number at the same time on subsequent days and then calculate the number of connections you typically see per day. When multiplied by the general 230 byte number, you will get a reasonable expectation for data size.
After the daemon is restarted and traffic is sent to rsyslog, you should see this directory created: /var/logs/rsyslog/cisco/asa/