Syslog format and the host field

Henk Fictorie - Ulrich · ‎06-28-2022

We've recently upgraded our WSA version from 11.5 to 11.8. We have a logsubscription with a syslog push. Before the upgrade the host field in the syslog message was the ip address of the management interface, after the upgrade the host field in the syslog message is the hostname of the management interface.

This caused some problems at our SIEM because the the filtering is based on the host field and suddenly that changed.

I couldn't find this change in the release notes.

So, is there any way to keep using the ip address in the host field?

We are planning to upgrade our ESA's in the near future, currently they are using the ip address in the host field, does the newest version of the ESA software (v14) also use the hostname in the host field?

Ken Stieers · ‎06-28-2022

Which log are you sending to the SEIM? Mail logs?

Henk Fictorie - Ulrich · ‎06-28-2022

On our WSA's we are sending the access logs to the syslog server.

On our ESa's we are sending Ironport text mail mail logs.

We are seeing the changed behaviour on our WSA's after the upgrade from 11.5 to 11.8.

On our ESA's we are running v13.5 and planning to upgrade to v14.0. I'm wondering if that change is also going to happen on the ESA's.

amojarra · ‎06-29-2022

there was an enhancement on 11.7 : CSCvj55508 : Bug Search Tool (cisco.com)

maybe the fields has been changed the place,

can you check the raw logs and see if the IP address on WSA is in some other columns ?

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Henk Fictorie - Ulrich · ‎06-29-2022

As far as I can see the only difference between the old syslog entry and the new syslog entry is the ip-address/hostname field.

NEW
Jun 29 00:38:15 <hostname> AccesslogSyslog: Info: 1656455894.418 121791 <client-ip> TCP_MISS/200 63415 CONNECT tunnel://<destname>:443/ - DIRECT/<destname> - ALLOW_WBRS_12-PwsServices-PwsServices-NONE-NONE-NONE-DefaultGroup-NONE <"C_PwsW",9.2,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_meet",-,"-","Online Meetings","-","Microsoft Dynamics CRM","Enterprise Applications","Encrypted","-",4.17,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.5.00.8070 Chrome/85.0.4183.121 Electron/10.4.7 Safari/537.36" - 2255 a.b.c.d -

OLD
Jun 13 00:00:05 <ip address> AccesslogSyslog: Info: 1655071196.220 124816 <client-ip> TCP_MISS/200 63435 CONNECT tunnel://<destname>:443/ - DIRECT/<destname> - ALLOW_WBRS_12-PwsServices-PwsServices-NONE-NONE-NONE-DefaultGroup-NONE <C_PwsW,9.2,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_meet,-,"-","-","Microsoft Dynamics CRM","Enterprise Applications","Encrypted","-",4.07,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-> - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.5.00.12969 Chrome/85.0.4183.121 Electron/10.4.7 Safari/537.36" - 2260 a.b.c.d -

fw_mon · ‎06-29-2022

we had similar situation and configured WSA to push logs to syslog server into different directories so SIEM can assign hostname of the sending WSA based on the folder name.

wsa1 pushes to /data/logs/wsa1

wsa2 pushes to /data/logs/wsa2

and so on..

SIEM agent (splunk in our case) assigns the hostname based on a segment of the path. This works very well.