Configuring Cloud App Security Log Collector
In my previous blog posts, I covered:
Introduction to Microsoft Cloud App Security
Cloud App Security Admin Portal
Adding Sanctioned Apps in Cloud App Security
Today we’ll cover how to ingest logs directly from your firewalls into the Cloud App Security Log Collector, which is then sent to the CAS service.
First, we’ll want to go to Cloud Discovery Settings and “Upload Logs Automatically”
Let’s first create our Data source.
Choose your supported firewall vendor of choice. Today the following solutions are supported:
Blue Coat ProxySG
Check Point
Cisco ASA Firewall
Cisco FWSM
Cisco IronPort WSA
Cisco ScanSafe
Meraki (URLs log)
Fortinet FortiGate
Juniper SRX
McAfee Web Gateway
Microsoft TMG
Microsoft TMG (W3C)
Palo Alto PA Series Firewall
Sophos SG
Squid (Common)
Squid (Native)
Websense Internet Activity Log (CEF)
Investigative detail report (CSV)
Zscaler
Other…(manual only)
We’ll select Cisco ASA Firewall for our edge firewalls here.
Ensure to check your timezone against the one that is configured.
In our case we don’t have a syslog server in our environment, so we’ll FTP the logs out to the FTP server directory on the Log Collector
Now let’s create our Log Collector.
Enter a name for the connector and choose your previously created data source
NOTE: Make sure to grab the token!
Choose your hypervisor (Vmware or Hyper-V) platform of choice. Grab the collector for Hyper-V here.
Unzip the ZIP file, the password is Discovery1234
Microsoft recommends a Hyper-V VM with the following specs:
- Generation 1 VM
- 2 procs
- Dynamic Memory – Startup 4096
Let’s create our VM and power it on
Login with the default account
Support | adallom100 |
You will be asked to change your password
Now lets run: network_config (you’ll have run with the sudo command)
Re-configure as needed
Ensure to test internet access
Now run the following command: collector_config (as sudo if needed) with the token.
You’ll also need to define your console domain and collector name you created in the portal
One you FTP in, you’ll also see a directory to use as a target for your firewall
We then setup logging on our ASA to point to the FTP directory.
If you don’t see anything being dropped in the directory, that’s ok, it will process the files as they come in and remove them so as not to flood the FTP server with logs once they are committed to the CAS cloud service.
You can now check if the logs are processing by first looking at the Data Sources page
You should see your # Uploaded Logs count go up
You can also go to Settings > Governance Log and check that they are being processed there as well.
It should looks something like this:
You should at minimum start to see some of the apps being discovered as they are processed.
And your dashboards populating under Discover
Gurdip Sira
Hi, I downloaded this but the password provided above does not seem to work for me?