To configure Cisco ASA to forward syslog events, some manual
configuration is required.
Procedure
- Log in to the Cisco ASA device.
- Type the following command to access privileged EXEC mode:
- Type the following command to access global configuration
mode:
- Enable logging:
- Configure the logging details:
logging
console warning
logging
trap warning
logging asdm warning
Note: The
Cisco ASA device can also be configured with logging trap
informational to send additional events. However, this
may increase the event rate (Events Per Second) of your device.
- Type the following command to configure logging to IBM
QRadar:
logging host <interface> <IP
address>
Where:
- <interface> is the name of the Cisco Adaptive
Security Appliance interface.
- <IP address> is the IP address of QRadar.
Note: Using the command show interfaces displays
all available interfaces for your Cisco device.
- Disable the output object name option:
no
names
Disable the output object name option to
ensure that the logs use IP addresses and not the object names.
- Exit the configuration:
- Save the changes:
Results
The configuration is complete. The log source is added
to QRadar as
Cisco ASA syslog events are automatically discovered. Events that
are forwarded to QRadar by
Cisco ASA are displayed on the Log Activity tab
of QRadar.