Cisco ASA logs incorrectly ingested for Sentinel

Category: azure security center

Question

TimFoo on Tue, 26 May 2020 14:09:34


Experiencing an issue where approx. half of the messages from an ASA are not parsed correctly.

Approx 50% appear as Syslog, and the rest at the expected CommonSecurityLog. 

I can see no difference in the messages, but the processing appears to go in bundles of several thousand.


Replies

SaurabhSharma-MSFT on Tue, 26 May 2020 20:32:07


Can you  please help providing an example of which all syslogs are not being converted to CommonSecurityLogs.  Also, can you please follow How to validate connectivity to check the connectivity to Azure Sentinel. 

TimFoo on Wed, 27 May 2020 08:35:22


In the syslog message field we see things such as the below on messages that have not been parsed, just standard messages.

Teardown TCP connection 1133716050 for SW-OUTSIDE261:10.25.53.123/54909 to Provisioning-Network:172.27.30.178/5201 duration 0:00:15 bytes 534 Failover primary closed

or

Built inbound TCP connection 1702096599 for VRF803:172.16.100.10/58608 (172.16.100.10/58608) to Management_Network:172.27.33.214/443 (172.27.33.214/443)

or

Built inbound ICMP connection for faddr 10.255.126.175/1 gaddr 172.31.30.10/0 laddr 172.31.30.10/0 (<Unknown>) type 8 code 0

in the last minuite we received this number of messages from the POC device in question, 

CommonSecurityLog    18,640

Syslog  31,060

Its definitly appears odd, as it appears to process thounds in a row correctly, then thousands in a row incorrectly.

I'm not seeing any obvious limitations on the log forwarder.

SaurabhSharma-MSFT on Tue, 02 Jun 2020 18:17:07


TimFoo - Thanks for sharing.  I will check internally with the product team and update you with my findings over here.

SaurabhSharma-MSFT on Wed, 03 Jun 2020 15:05:24


Hi,

Can you please check if you have connected both CEF and Syslog, that is why you are getting the data in both tables.  If yes please disconnect Syslog using the portal. This should resolve the duplication in the tables.

Regarding the missing messages - can you please provide us a sample messages that you do not see in the workspace and one that you do.

If you are not able to share it here, please send an email to azcommunity[at]microsoft[dot]com with this MSDN thread url and we will look into the same.

Thanks
Saurabh


TimFoo on Thu, 04 Jun 2020 09:30:21


Ah ha, that seems to have done the trick...

Thank you

Tim

SaurabhSharma-MSFT on Thu, 04 Jun 2020 16:58:41


Awesome.  Great to hear that your are unblocked.