locked
Cisco ASA logs incorrectly ingested for Sentinel RRS feed

  • Question

  • Experiencing an issue where approx. half of the messages from an ASA are not parsed correctly.

    Approx 50% appear as Syslog, and the rest at the expected CommonSecurityLog. 

    I can see no difference in the messages, but the processing appears to go in bundles of several thousand.


    Tuesday, May 26, 2020 2:09 PM

Answers

  • Hi,

    Can you please check if you have connected both CEF and Syslog, that is why you are getting the data in both tables.  If yes please disconnect Syslog using the portal. This should resolve the duplication in the tables.

    Regarding the missing messages - can you please provide us a sample messages that you do not see in the workspace and one that you do.

    If you are not able to share it here, please send an email to azcommunity[at]microsoft[dot]com with this MSDN thread url and we will look into the same.

    Thanks
    Saurabh


    • Marked as answer by TimFoo Thursday, June 4, 2020 9:30 AM
    Wednesday, June 3, 2020 3:05 PM

All replies

  • Can you  please help providing an example of which all syslogs are not being converted to CommonSecurityLogs.  Also, can you please follow How to validate connectivity to check the connectivity to Azure Sentinel. 
    Tuesday, May 26, 2020 8:32 PM
  • In the syslog message field we see things such as the below on messages that have not been parsed, just standard messages.

    Teardown TCP connection 1133716050 for SW-OUTSIDE261:10.25.53.123/54909 to Provisioning-Network:172.27.30.178/5201 duration 0:00:15 bytes 534 Failover primary closed

    or

    Built inbound TCP connection 1702096599 for VRF803:172.16.100.10/58608 (172.16.100.10/58608) to Management_Network:172.27.33.214/443 (172.27.33.214/443)

    or

    Built inbound ICMP connection for faddr 10.255.126.175/1 gaddr 172.31.30.10/0 laddr 172.31.30.10/0 (<Unknown>) type 8 code 0

    in the last minuite we received this number of messages from the POC device in question, 

    CommonSecurityLog    18,640

    Syslog  31,060

    Its definitly appears odd, as it appears to process thounds in a row correctly, then thousands in a row incorrectly.

    I'm not seeing any obvious limitations on the log forwarder.

    Wednesday, May 27, 2020 8:35 AM
  • TimFoo - Thanks for sharing.  I will check internally with the product team and update you with my findings over here.
    Tuesday, June 2, 2020 6:17 PM
  • Hi,

    Can you please check if you have connected both CEF and Syslog, that is why you are getting the data in both tables.  If yes please disconnect Syslog using the portal. This should resolve the duplication in the tables.

    Regarding the missing messages - can you please provide us a sample messages that you do not see in the workspace and one that you do.

    If you are not able to share it here, please send an email to azcommunity[at]microsoft[dot]com with this MSDN thread url and we will look into the same.

    Thanks
    Saurabh


    • Marked as answer by TimFoo Thursday, June 4, 2020 9:30 AM
    Wednesday, June 3, 2020 3:05 PM
  • Ah ha, that seems to have done the trick...

    Thank you

    Tim

    Thursday, June 4, 2020 9:30 AM
  • Awesome.  Great to hear that your are unblocked.
    Thursday, June 4, 2020 4:58 PM