Creating an ASA Security Analytics and Logging (SaaS) Macro

There are two types of formatting you'll see in the following procedure, ASA CLI commands and macro formatting. The ASA CLI commands are written to follow ASA syntax conventions. The macro conventions are described in Create a CLI Macro.

Before you begin, open Send ASA Syslog Events to the Cisco Cloud in a separate window and read it in parallel with this procedure so you can read the command descriptions as you create your macros.

Note

If a logging config is already in place on the ASA, running the macro from Security Cloud Control will not first clear out all of the existing logging config. Rather, the settings defined in the Security Cloud Control macro will merge into whatever might already be in place.

Procedure


Step 1

Open a plain text editor and create a list of commands you are going to turn into a macro, based on the instructions and options below. Security Cloud Control will execute the commands in the order they are written in the macro. Some command will have values that you turn into {{parameters}} that you will fill in when it comes time to run the macro.

Step 2

Configure the ASA to send messages to an SEC as if it were a syslog server.

Use the logging host command to specify the SEC as the syslog server you send messages to. You can send events to any one of the SECs you have onboarded to your tenant.

The logging host command specifies a TCP or UDP port to send events to. See Finding Your Device's TCP, UDP, and NSEL Port Used for Cisco Security Analytics and Logging to determine what ports you should use.

logging hostinterface_nameSEC_IP_address{ tcp/port| udp/port}

Turn this command into one of two different macros depending on what protocol you use to send syslog events to the SEC:

logging host {{interface_name}} {{SEC_ip_address}} tcp/{{port_number}}

logging host {{interface_name}} {{SEC_ip_address}} udp/{{port)_number}}

(Optional) If you use TCP, you can add this command to your list of commands in your macro. It does not need any parameters.

logging permit-hostdown

Step 3

Specify which syslog messages should be sent to the syslog server.

Use the logging trap command to specify which syslog messages should be sent to the syslog server:

logging trap{ severity_level| message_list}

If you want to define the events sent to the SEC by severity level, turn the command into this macro:

logging trap {{severity_level}}

If you only want to send events to the SEC that are part of a message list, turn the command into this macro:

logging trap {{message_list_name}}

If you chose the logging trap message_list command in the previous step, you need to define the syslogs in your message list. Open Create a Custom Event List so you can read the command descriptions as you create the macro. Start with this command:

logging listname{ levellevel[ classmessage_class]| messagestart_id[ -end_id]}

And break it down into these variations:

logging list {{message_list_name}} level {{security_level}}

logging list {{message_list_name}} level {{security_level}} class {{message_class}}

logging list {{message_list_name}} message {{syslog_range_or_number}}

In the last variation, the message parameter {{syslog_range_or_number}} could be entered as a single syslog ID, 106023, or a range, 302013-302018. Use one or more of the command variations in as many lines as you like to create your message list. Keep in mind that, in a single macro, all parameters with the same name will use the same value you enter. Security Cloud Control will not run a macro with empty parameters.

Important

The logging list command has to come before the logging trap command in your macro. You define the list first and then the logging trap command can use it. See the sample macro below.

Step 4

(Optional) Add the syslog timestamp. Add this command if you want to add the date and time to the message that the syslog message originated on the ASA. The timestamp value is displayed in the SyslogTimestamp field. Add this command to your list of commands, it will not need any parameters:

logging timestamp

Note

Beginning with version 9.10(1), ASA provides the option to enable timestamp as per RFC 5424 in eventing syslogs. When this option is enabled, all timestamp of syslog messages would be displaying the time as per RFC 5424 format. Following is a sample output with RFC 5424 format:

 <166>2018-06-27T12:17:46Z asa : %ASA-6-110002: Failed to locate egress interface for protocol from src interface :src IP/src port to dest IP/dest port
.

Step 5

(Optional) Include a device ID in non-EMBLEM format syslog messages. Open Include the Device ID in Non-EMBLEM Format Syslog Messages so you can read the command descriptions as you create the macro. This is the CLI command you will base your macro on:

logging device-id{ cluster-id| context-name| hostname| ipaddress interface_name [ system]| stringtext}

And break it down into these variations:

logging device-id cluster-id

logging device-id context-name

logging device-id hostname

logging device-id ipaddress {{interface_name}} system

logging device-id string {{text_16_char_or_less}}

Step 6

Enable logging. Add this command to your macro as it is. It does not have any parameters:

logging enable

Step 7

Do not add write memory to the last line of the macro. Add the show running-config logging command instead to review the results of the logging commands you entered before committing them to the ASA's startup config.

show running-config logging

Step 8

After you are confident your configuration changes were made, you can create a separate macro for the write memory command or use Security Cloud Control's Bulk Command Line Interface function to issue the command to all the devices you configured using your macro.

write memory

Step 9

(Optional) Enable logging on access control rule "permit" events. This step in the described in the Send ASA Syslog Events to the Cisco Cloud procedure but it is not included in this macro. It is performed in the Security Cloud Control GUI instead.

Step 10

Save the macro.


Example

Here is a sample of a list of commands combined into a single macro:


logging host {{interface_name}} {{SEC_ip_address}} {{tcp_or_udp}}/{{port_number}} 
logging permit-hostdown 
logging list {{message_list_name}} level {{security_level}} 
logging list {{message_list_name}} message {{syslog_range_or_number_1}} 
logging list {{message_list_name}} message {{syslog_range_or_number_2}} 
logging trap {{message_list_name}} 
logging device-id cluster-id 
logging enable 
show running-config logging 
Note

There are several logging list commands to add different specific syslog IDs or ranges. The {{syslog_range_or_number_X}} parameter requires a number or some other differentiator, otherwise their values will all be the same when the macro is filled in. Also keep in mind that Security Cloud Control will not run a macro if not all the parameters are given a value, so only include the commands in the macro you want to execute. We do want all the syslog IDs contained in the same list so event_list_name stays the same for in each line.

What to do next

Run the Macro

After you have created and saved the ASA Security Analytics and Logging Macro, run the macro to send ASA syslog events to the Cisco cloud.