Re: send Log ASA to Security Analytics and Logging for Secure Network

401 · ‎07-01-2025

"I've configured syslog forwarding on my Cisco ASA to send logs to Secure Network Analytics, and the ASA's logging configuration is complete. However, I've noticed that the UDP TX counter for this destination is consistently at 3, which suggests logs aren't being sent successfully to Secure Network Analytics. Interestingly, syslogs are being sent to CSM without any issues. What steps should I take to diagnose and resolve this log delivery problem to Secure Network Analytics?"

MHM Cisco World · ‎07-01-2025

Use Capture for traffic out from outside interface (or interface use to connect to server)
MHM

401 · ‎07-01-2025

is it necessary to add the ACL "access-list configuration OUTSIDE extended permit udp host <IP_interface_ASA> host <IP_SNA> eq 8514"

MHM Cisco World · ‎07-02-2025

@401 wrote:

is it necessary to add the ACL "access-list configuration OUTSIDE extended permit udp host <IP_interface_ASA> host <IP_SNA> eq 8514"

In capture command you can specify host IP

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

MHM

MHM Cisco World · ‎07-05-2025

Any news

For more details

1- only ACL control plane can permit/deny traffic initiate from ASA interface itself

2- did you use capture? In capture use same interface you use to config server in asa

MHM

Aref Alsouqi · ‎07-03-2025

This is not a transit traffic passing through the firewall, instead it is generated by the firewall itself, so no need for an transit ACL for this to work.

401 · ‎07-03-2025

For syslog traffic that will be sent to SNA, does it go through the OUTSIDE Management IP or through the DATA IP?For syslog traffic that will be sent to SNA, does it go through the OUTSIDE Management IP or through the DATA IP?

Aref Alsouqi · ‎07-04-2025

When you configure syslog on the ASA you define the interface name that you want it to be used to reach the remote syslog server. In your case it seems that you configured the outside interface. So, the ASA in your case tries to reach SNA out of the outside interface. If SNA is sitting somewhere else on your network and it's reachable via a different interface then you should change that configuration.

401 · ‎07-09-2025

I can confirm that I am using the 'outside' interface, and I've configured it the same way for both the CSM and the SIEM. Interestingly, other contexts on the same firewall are successfully sending their syslog logs. Is there a way to find a specific error code for the logs that are failing? This would help me analyze the root cause of the problem.

Aref Alsouqi · ‎07-10-2025

I'm running out of ideas here. Could you please try to issue the command "sh conn all | i < the IP of the SNA>" and see if you have any connection established? also, could you please run the packet capture on the outside interface as already suggested and see if you see any traffic going to SNA? also, have you checked on SNA to see if there are actually any logs received? Finally, could you please share the sanitized output of the command "sh run logging" for review?

Marvin Rhoads · ‎07-10-2025

Why would you send syslog messages to SNA vs. the much more useful Netflow Secure Event Log (NSEL) messages?