Asa integration in elastic agent

Can anyone please advise with "Asa" integration in elastic agent?

As we know, there are 2 ways:

  1. I am sending logs of ASA(192.168.110.1) by syslog udp to logstash(192.168.110.243). When checking by tcpdump, I see that they are logs of "asa", but they are not visible in the kibana. What address should I specify here?

  2. The second way is to read from the file. But in these case not all fields are parsed. The exported fields are not visible there

Are you using Logstash and want to change to the Integration?

If you want to use the integration you need to send the logs of ASA to the server where the agent with the integration will be running, in the integration configuration you should leave the listen address as 0.0.0.0 and choose the port to where you will send the logs.

What does the file looks like? If I'm not wrong the file needs to be one event per line in a syslog format.

Hello @leandrojmp
Thanks for reply.

Yes, I am sending logs from ASA(192.168.110.1) to the logstash(192.168.110.243) where the elastic agent and integration were installed. I am indicating also 0.0.0.0 and port 5045 to receive the logs. But the logs are not visible from kibana(discover).


asa_logstash_input

From what you shared you already have a Logstash running listening on the port 5045, you can't use the same port for the Elastic Agent.

If you want to use the integration, you need to send the logs to Elastic Agent, not Logstash, so you don't need a Logstash pipeline listening on port 5045.

Let me clarify

Where I should indicate the port of the elastic agent? As you mean, I should send the logs of the ASA directly to elastic agent?

You should set the port in the integration configuration in the Listen Port box, this is will be the port where the Elastic Agent will listen for logs from your ASA Device.

Then you should configure your ASA device to send logs to the server where the Elastic Agent is running on the port you choose.

The issue here is that you put the port 5045 in the Agent configuration but you also shared a logstash configuration running on the same server listening on the same port, this won't work.

Should I indicate this port? I did not fully undertand.

Could you please provide a link to the documentation for sending ASA logs to elastic agent? Because I didn't find any information about what you said from the documentation.

I'm sorry, but what you didnt understand?

In the Elastic Agent you will choose a listening port, in the screenshot you shared you choose the UDP port 5045, if you use this port, nothing else in the server can use this port, but you shared a Logstash config using the same UDP port, this can not happen.

So, you want to use Elastic Agent to receive logs from ASA using UDP, you cannot use the same port on Logstash.

This screenshot you shared does not have any UDP port, so I'm not sure what is your issue here.

Did you configure the ASA integrate with an UDP port that is not being used in the server? You need to check this.

You need to look in the Cisco documentation on how to configure ASA to send logs to a Syslog server, the Elastic Agent will act as a Syslog server.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.