Configuring syslog forwarding

To configure Cisco ASA to forward syslog events, some manual configuration is required.

Procedure

  1. Log in to the Cisco ASA device.
  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Enable logging:

    logging enable

  5. Configure the logging details:

    logging console warning

    logging trap warning

    logging asdm warning

    Note: The Cisco ASA device can also be configured with logging trap informational to send additional events. However, this may increase the event rate (Events Per Second) of your device.
  6. Type the following command to configure logging to IBM QRadar:

    logging host <interface> <IP address>

    Where:
    • <interface> is the name of the Cisco Adaptive Security Appliance interface.
    • <IP address> is the IP address of QRadar.
    Note: Using the command show interfaces displays all available interfaces for your Cisco device.
  7. Disable the output object name option:

    no names

    Disable the output object name option to ensure that the logs use IP addresses and not the object names.

  8. Exit the configuration:

    exit

  9. Save the changes:

    write mem

Results

The configuration is complete. The log source is added to QRadar as Cisco ASA syslog events are automatically discovered. Events that are forwarded to QRadar by Cisco ASA are displayed on the Log Activity tab of QRadar.