1

Configuring Cloud App Security Log Collector

Posted by

In my previous blog posts, I covered:

Introduction to Microsoft Cloud App Security

Cloud App Security Admin Portal

Adding Sanctioned Apps in Cloud App Security

Today we’ll cover how to ingest logs directly from your firewalls into the Cloud App Security Log Collector, which is then sent to the CAS service.

First, we’ll want to go to Cloud Discovery Settings and “Upload Logs Automatically”

050216_2335_Configuring1.png

Let’s first create our Data source.

Choose your supported firewall vendor of choice. Today the following solutions are supported:

Blue Coat ProxySG

Check Point

Cisco ASA Firewall

Cisco FWSM

Cisco IronPort WSA

Cisco ScanSafe

Meraki (URLs log)

Fortinet FortiGate

Juniper SRX

McAfee Web Gateway

Microsoft TMG

Microsoft TMG (W3C)

Palo Alto PA Series Firewall

Sophos SG

Squid (Common)

Squid (Native)

Websense Internet Activity Log (CEF)

Investigative detail report (CSV)

Zscaler

Other…(manual only)

We’ll select Cisco ASA Firewall for our edge firewalls here.

Ensure to check your timezone against the one that is configured.

In our case we don’t have a syslog server in our environment, so we’ll FTP the logs out to the FTP server directory on the Log Collector

050216_2335_Configuring2.png 050216_2335_Configuring3.png

Now let’s create our Log Collector.

Enter a name for the connector and choose your previously created data source

050216_2335_Configuring4.png

NOTE: Make sure to grab the token!

Choose your hypervisor (Vmware or Hyper-V) platform of choice. Grab the collector for Hyper-V here.

Unzip the ZIP file, the password is Discovery1234

050216_2335_Configuring5.png 050216_2335_Configuring6.png

Microsoft recommends a Hyper-V VM with the following specs:

  • Generation 1 VM
  • 2 procs
  • Dynamic Memory – Startup 4096

Let’s create our VM and power it on

050216_2335_Configuring7.png

Login with the default account

Support adallom100

050216_2335_Configuring8.png

You will be asked to change your password

050216_2335_Configuring9.png

Now lets run: network_config (you’ll have run with the sudo command)

Re-configure as needed

050216_2335_Configuring10.png

Ensure to test internet access

050216_2335_Configuring11.png

Now run the following command: collector_config (as sudo if needed) with the token.

You’ll also need to define your console domain and collector name you created in the portal

050216_2335_Configuring12.png

One you FTP in, you’ll also see a directory to use as a target for your firewall

050216_2335_Configuring13.png

We then setup logging on our ASA to point to the FTP directory.

If you don’t see anything being dropped in the directory, that’s ok, it will process the files as they come in and remove them so as not to flood the FTP server with logs once they are committed to the CAS cloud service.

You can now check if the logs are processing by first looking at the Data Sources page

You should see your # Uploaded Logs count go up

050216_2335_Configuring14.png

You can also go to Settings > Governance Log and check that they are being processed there as well.

It should looks something like this:

050216_2335_Configuring15.png

You should at minimum start to see some of the apps being discovered as they are processed.

And your dashboards populating under Discover

050216_2335_Configuring16.png 050216_2335_Configuring17.png 050216_2335_Configuring18.png

One thought on “Configuring Cloud App Security Log Collector

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>