In my previous blog posts, I covered:
Today we’ll cover how to ingest logs directly from your firewalls into the Cloud App Security Log Collector, which is then sent to the CAS service.
First, we’ll want to go to Cloud Discovery Settings and “Upload Logs Automatically”
Let’s first create our Data source.
Choose your supported firewall vendor of choice. Today the following solutions are supported:
Blue Coat ProxySG
Cisco ASA Firewall
Cisco IronPort WSA
Meraki (URLs log)
McAfee Web Gateway
Microsoft TMG (W3C)
Palo Alto PA Series Firewall
Websense Internet Activity Log (CEF)
Investigative detail report (CSV)
We’ll select Cisco ASA Firewall for our edge firewalls here.
Ensure to check your timezone against the one that is configured.
In our case we don’t have a syslog server in our environment, so we’ll FTP the logs out to the FTP server directory on the Log Collector
Now let’s create our Log Collector.
Enter a name for the connector and choose your previously created data source
NOTE: Make sure to grab the token!
Choose your hypervisor (Vmware or Hyper-V) platform of choice. Grab the collector for Hyper-V here.
Unzip the ZIP file, the password is Discovery1234
Microsoft recommends a Hyper-V VM with the following specs:
- Generation 1 VM
- 2 procs
- Dynamic Memory – Startup 4096
Let’s create our VM and power it on
Login with the default account
You will be asked to change your password
Now lets run: network_config (you’ll have run with the sudo command)
Re-configure as needed
Ensure to test internet access
Now run the following command: collector_config (as sudo if needed) with the token.
You’ll also need to define your console domain and collector name you created in the portal
One you FTP in, you’ll also see a directory to use as a target for your firewall
We then setup logging on our ASA to point to the FTP directory.
If you don’t see anything being dropped in the directory, that’s ok, it will process the files as they come in and remove them so as not to flood the FTP server with logs once they are committed to the CAS cloud service.
You can now check if the logs are processing by first looking at the Data Sources page
You should see your # Uploaded Logs count go up
You can also go to Settings > Governance Log and check that they are being processed there as well.
It should looks something like this:
You should at minimum start to see some of the apps being discovered as they are processed.
And your dashboards populating under Discover