In my previous blog posts, I covered:

Introduction to Microsoft Cloud App Security

Cloud App Security Admin Portal

Adding Sanctioned Apps in Cloud App Security

Today we’ll cover how to ingest logs directly from your firewalls into the Cloud App Security Log Collector, which is then sent to the CAS service.

First, we’ll want to go to Cloud Discovery Settings and “Upload Logs Automatically”


Let’s first create our Data source.

Choose your supported firewall vendor of choice. Today the following solutions are supported:

Blue Coat ProxySG

Check Point

Cisco ASA Firewall

Cisco FWSM

Cisco IronPort WSA

Cisco ScanSafe

Meraki (URLs log)

Fortinet FortiGate

Juniper SRX

McAfee Web Gateway

Microsoft TMG

Microsoft TMG (W3C)

Palo Alto PA Series Firewall

Sophos SG

Squid (Common)

Squid (Native)

Websense Internet Activity Log (CEF)

Investigative detail report (CSV)


Other…(manual only)

We’ll select Cisco ASA Firewall for our edge firewalls here.

Ensure to check your timezone against the one that is configured.

In our case we don’t have a syslog server in our environment, so we’ll FTP the logs out to the FTP server directory on the Log Collector

050216_2335_Configuring2.png 050216_2335_Configuring3.png

Now let’s create our Log Collector.

Enter a name for the connector and choose your previously created data source


NOTE: Make sure to grab the token!

Choose your hypervisor (Vmware or Hyper-V) platform of choice. Grab the collector for Hyper-V here.

Unzip the ZIP file, the password is Discovery1234

050216_2335_Configuring5.png 050216_2335_Configuring6.png

Microsoft recommends a Hyper-V VM with the following specs:

  • Generation 1 VM
  • 2 procs
  • Dynamic Memory – Startup 4096

Let’s create our VM and power it on


Login with the default account

Support adallom100


You will be asked to change your password


Now lets run: network_config (you’ll have run with the sudo command)

Re-configure as needed


Ensure to test internet access


Now run the following command: collector_config (as sudo if needed) with the token.

You’ll also need to define your console domain and collector name you created in the portal


One you FTP in, you’ll also see a directory to use as a target for your firewall


We then setup logging on our ASA to point to the FTP directory.

If you don’t see anything being dropped in the directory, that’s ok, it will process the files as they come in and remove them so as not to flood the FTP server with logs once they are committed to the CAS cloud service.

You can now check if the logs are processing by first looking at the Data Sources page

You should see your # Uploaded Logs count go up


You can also go to Settings > Governance Log and check that they are being processed there as well.

It should looks something like this:


You should at minimum start to see some of the apps being discovered as they are processed.

And your dashboards populating under Discover

050216_2335_Configuring16.png 050216_2335_Configuring17.png 050216_2335_Configuring18.png

Leave a Reply

Your email address will not be published. Required fields are marked *