Cisco ASA Router
Configure Filebeat to ship Cisco logs to Logstash and Elasticsearch
Configure Filebeat to ship Cisco logs to Logstash and Elasticsearch.
Install Integration
Configure Cisco Router
Enable your Cisco ASA router to send logs to a remote server over TCP. As this isn't enabled by default you will need to enable it, you can follow the instructions here to do so.
Cisco Logs Instructions (opens in a new tab)
Install Filebeat
To get started you will need to install filebeat. To do this you have two main options:
- Choose the filebeat (opens in a new tab) ZIP file (Windows ZIP x86_64) or
- Choose the Microsoft Software Installer MSI (opens in a new tab) file (Windows MSI x86_64 (beta))
To successfully install filebeat and set up the required Windows service you will need to have administrator access.
If you have chosen to download the zip file:
- Extract the contents of the zip file into C:\Program Files.
- Rename the extracted folder to filebeat
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'.\install-service-filebeat.ps1If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1For more information about Powershell execution policies see here (opens in a new tab).
If you have chosen to download the filebeat.msi file:
- double-click on it and the relevant files will be downloaded.
At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:
.\install-service-filebeat.ps1If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example:
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1For more information about Powershell execution policies see here (opens in a new tab).
Update your configuration file
The configuration file below is pre-configured to send data to your Logit.io Stack via Logstash.
Note: Please make sure the 'paths' field in the Filebeat inputs section and the 'hosts' field in the Logstash outputs section are correctly populated.
If you are logged into your Logit.io account the 'hosts' field should have been pre-populated with the correct values.
The 'paths' field will need to be set to the location of the logs you want to send to your Stack e.g. - /Windows/DtcInstall.log is a log file called DtcInstall.log located in C:/Windows.
Copy the configuration file below (making the above changes as necessary) and overwrite the contents of filebeat.yml (this file can be found in the location where you installed Filebeat in the previous step. If it is missing create a new file with that name and populate it with the configuration details below).
###################### Logit.io Filebeat Configuration ########################
# ============================== Filebeat inputs ==============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: tcp
enabled: true
host: "0.0.0.0:xxxx"
fields:
type: cisco-asa
fields_under_root: true
encoding: utf-8
ignore_older: 3h
# ============================== Filebeat modules ==============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#reload.period: 10s
# ================================== Outputs ===================================
# ------------------------------ Logstash Output -------------------------------
output.logstash:
hosts: ["@logstash.host:@logstash.sslPort"]
loadbalance: true
ssl.enabled: true
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~Validate configuration
cd <EXTRACTED_ARCHIVE>
.\@beatname.exe -e -c @beatname.ymlIf the yml file is invalid, will print an error loading config file error message with
details on how to correct the problem. If you have issues starting see "How To Diagnose
No Data In Stack" below to troubleshoot.
Start filebeat
To start Filebeat, run in Powershell:
Start-Service filebeatCheck Logit.io for your logs
Data should now have been sent to your Stack.
View My DataIf you don't see take a look at How to diagnose no data in Stack below for how to diagnose common issues.
How to diagnose no data in Stack
If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.
Cisco Meraki Logging Overview
Cisco ASA (Adaptive Security Appliance) is a network security device that provides firewall, VPN, and other security services for enterprise networks. ASA devices are typically deployed at the edge of the network to protect it from external threats and to control access to internal resources.
ASA devices generate a variety of logs that record various events and activities on the network. These logs are used to monitor network security, troubleshoot issues, and identify security threats.
Here are some common types of logs generated by ASA devices:
System Logs: These logs record system-level events such as device startup, shutdown, and configuration changes.
Connection Logs: These logs record details about network connections such as source and destination IP addresses, protocols, and ports.
Access Logs: These logs record information about access attempts to the network, including login attempts and access requests.
Threat Logs: These logs record security-related events such as intrusion attempts, malware detections, and security policy violations.
VPN Logs: These logs record details about VPN connections such as user authentication, encryption, and tunneling.
ASA devices provide real-time visibility into network activity through the ASA dashboard, which can be used to search and filter logs based on various criteria such as time range, device, event type, and severity. The logs can also be exported for further analysis or integration with third-party tools. ASA devices can also be integrated with Cisco Security Manager (CSM) to provide centralized management and reporting for multiple ASA devices.