Azure-docs: Cisco ASA cannot be configured to send Syslog messages over TCP 514

Should note I can see the mock data in the Azure portal when I run it, but the CEF collector isn't getting any of the syslog messages sent from my ASA over 514/udp...

@mbell85
Thanks for your feedback! We will investigate and update as appropriate.

@mbell85 Please check this documentation which is specific to connecting Cisco ASA to sentinel
which says that you need to "Set port to 514 or the port you set in the agent." Please let me know if you still face any issues.

Not sure how to set the port in the OMS agent. There is no documentation.

--

Mark Bell
IT Admin/Coordinator
Journeys in Community Living
1130 Haley Rd.
Murfreesboro, TN 37129
615-890-4389, ext. 45 (ofc)
615-295-3046 (cell)
www.journeystn.orghttp://www.journeystn.org/
www.fb.com/journeysincommunityhttp://www.fb.com/journeysincommunity
www.twitter.com/journeystnhttp://www.twitter.com/journeystn

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication is STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying Mark Bell of the error by reply email or calling 615-295-3046.

From: SaurabhSharma-MSFT notifications@github.com
Sent: Tuesday, March 10, 2020 2:01 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

@mbell85https://github.com/mbell85 Please check this documentationhttps://docs.microsoft.com/en-us/azure/sentinel/connect-cisco which is specific to connecting Cisco ASA to sentinel
which says that you need to "Set port to 514 or the port you set in the agent." Please let me know if you still face any issues.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792?email_source=notifications&email_token=AKN3WZHSWZL5U5UNV2EGGNLRG2E6ZA5CNFSM4LEN7EX2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEOMW67Y#issuecomment-597258111, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZELWKQEKQLTHIVFP7DRG2E6ZANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

@yelevin Can you please help..

Hey guys,

I had a call with Roger Fleming from Microsoft and we got it working!

Thanks!

--

Mark Bell
IT Admin/Coordinator
Journeys in Community Living
1130 Haley Rd.
Murfreesboro, TN 37129
615-890-4389, ext. 45 (ofc)
615-295-3046 (cell)
www.journeystn.orghttp://www.journeystn.org/
www.fb.com/journeysincommunityhttp://www.fb.com/journeysincommunity
www.twitter.com/journeystnhttp://www.twitter.com/journeystn

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication is STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying Mark Bell of the error by reply email or calling 615-295-3046.

From: SaurabhSharma-MSFT notifications@github.com
Sent: Wednesday, March 11, 2020 12:43 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

@yelevinhttps://github.com/yelevin Can you please help..

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-597773024, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZC6ZBDJ5EDI5TNMLS3RG7ER7ANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

@mbell85 Great to hear that you are unblocked. Appreciate if you could help providing the solution details so that I take it up to the documentation author to get that information added to the documentation.

@mbell85 can you please help providing your solution.

In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).

As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.

Now all is working great!

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: SaurabhSharma-MSFT notifications@github.com
Sent: Friday, March 13, 2020 3:32:29 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

@mbell85https://github.com/mbell85 can you please help providing your solution.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

The messages getting sent to the machine are indeed being sent over UDP 514. Thought I should add that.

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: Mark Bell notifications@github.com
Sent: Friday, March 13, 2020 7:11:32 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Your activity your_activity@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).

As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.

Now all is working great!

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: SaurabhSharma-MSFT notifications@github.com
Sent: Friday, March 13, 2020 3:32:29 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

@mbell85https://github.com/mbell85 can you please help providing your solution.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598979353, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZE3YULAMQRNGGLALZLRHLDTJANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

We also made sure to turn off auto provisioning in Azure, as it was initially tying the machine to my default workspace instead of the sentinel workspace.

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: Mark Bell mark.bell@journeystn.org
Sent: Friday, March 13, 2020 7:13:34 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com; MicrosoftDocs/azure-docs reply@reply.github.com
Cc: Your activity your_activity@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

The messages getting sent to the machine are indeed being sent over UDP 514. Thought I should add that.

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: Mark Bell notifications@github.com
Sent: Friday, March 13, 2020 7:11:32 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Your activity your_activity@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).

As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.

Now all is working great!

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: SaurabhSharma-MSFT notifications@github.com
Sent: Friday, March 13, 2020 3:32:29 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

@mbell85https://github.com/mbell85 can you please help providing your solution.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598979353, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZE3YULAMQRNGGLALZLRHLDTJANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

*auto provisioning in Azure Security Center. Just to be clear.

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: Mark Bell mark.bell@journeystn.org
Sent: Friday, March 13, 2020 7:15:11 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com; MicrosoftDocs/azure-docs reply@reply.github.com
Cc: Your activity your_activity@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

We also made sure to turn off auto provisioning in Azure, as it was initially tying the machine to my default workspace instead of the sentinel workspace.

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: Mark Bell mark.bell@journeystn.org
Sent: Friday, March 13, 2020 7:13:34 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com; MicrosoftDocs/azure-docs reply@reply.github.com
Cc: Your activity your_activity@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

The messages getting sent to the machine are indeed being sent over UDP 514. Thought I should add that.

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: Mark Bell notifications@github.com
Sent: Friday, March 13, 2020 7:11:32 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Your activity your_activity@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

In my case, it turned out not to be the ASA that was the problem, but the VM where the OMS Agent was installed. The OMS Agent could post mock messages to Sentinel but syslog test messages never made it through. We ended up scrapping the VM and spinning up a brand new one (Ubuntu Server 18.04).

As for getting the ASA to send syslogs directly to the VM agent, it didnt work directly using local IP because my ASA is also serving as our gateway for Azure site to site VPN. What I ended up doing was setting up a free syslog server on a Windows 10 machine in my on-prem subnet and forwarding the messages on to the OMS Agent installed on the linux VM in Azure.

Now all is working great!

Sent from Samsung Galaxy smartphone.
Get Outlook for Androidhttps://aka.ms/ghei36

From: SaurabhSharma-MSFT notifications@github.com
Sent: Friday, March 13, 2020 3:32:29 PM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

@mbell85https://github.com/mbell85 can you please help providing your solution.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598899819, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZFJL7EGSKC2T6B2IOTRHKJ53ANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-598979353, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZE3YULAMQRNGGLALZLRHLDTJANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Azure Information Protection to secure its documents and emails. If you are not in a federated Active Directory environment, you will need to sign up for an Azure RMS account using the email at which you received the encrypted messages or documents. To sign up, visit: https://signup.microsoft.com/signup?sku=rms&ru=https%3A%2F%2Fportal.azurerms.com%2F%23%2Fdownload.

@mbell85 Thank you for providing the details.
@yelevin Can you please take a look to see if you can add any information to the documentation.

We are having the same issue. ASA traffic is sent to Syslog collector on port 514 UDP but traffic never gets to Sentinel through the CEF connector.

The CEF connector shows as connected and we can see the MOCK entries in the CommonSecurityLog table in Log Analytics but no real traffic.

We have the following in the config file:

:rawmsg, regex, "CEF"|"ASA"
. @@127.0.0.1:25226

Any suggestions?

@fbinotto is there any update on this, I am having the same issue.

Just FYI. The way I eventually got around this problem was to configure the ASA to send the messages to a Syslog server capable of forwarding the messages on to the machine running the CEF collector. Have been using it this way since back in March and works great.

@mbell85 thanks for the prompt response.
actually got it working by sending UDP logs from Cisco to Syslog Collector and forwarding those logs to the agent's port (localhost:25226)
Logs are now showing up in the Sentinel but it is still sad that CEF collector does not work directly

Glad to help! It’s a minor annoyance, but at the same time I kind of like having a local Syslog server running so I can glance at it throughout the day and then then using the CEF collector to import to Azure Sentinel for the analytics to run through it. It’s been very helpful for identifying connection attempts from suspect IPs and blocking them at the ASA.

--

Mark Bell
IT Admin/Coordinator
Journeys in Community Living
1130 Haley Rd.
Murfreesboro, TN 37129
615-890-4389, ext. 45 (ofc)
615-295-3046 (cell)
www.journeystn.orghttp://www.journeystn.org/
www.fb.com/journeysincommunityhttp://www.fb.com/journeysincommunity
www.twitter.com/journeystnhttp://www.twitter.com/journeystn

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication is STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying Mark Bell of the error by reply email or calling 615-295-3046.

From: Muhammad Junaid Raza notifications@github.com
Sent: Wednesday, September 2, 2020 11:44 AM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Mark Bell mark.bell@journeystn.org; Mention mention@noreply.github.com
Subject: Re: [MicrosoftDocs/azure-docs] Cisco ASA cannot be configured to send Syslog messages over TCP 514 (#49792)

[EXTERNAL SENDER]
Handle with care. DO NOT open attachments or click links from unknown senders or unexpected email!

• JICL Helpdeskhttps://jicladmin.org

@mbell85https://github.com/mbell85 thanks for the prompt response.
actually got it working by sending UDP logs from Cisco to Syslog Collector and forwarding those logs to the agent's port (localhost:25226)
Logs are now showing up in the Sentinel but it is still sad that CEF collector does not work directly

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/MicrosoftDocs/azure-docs/issues/49792#issuecomment-685859473, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKN3WZGFBKJHZ7GSZQKVVNLSDZY4NANCNFSM4LEN7EXQ.

NOTICE: This email may contain confidential (including but not limited to) HIPAA-protected and/or privileged information intended only for specific, predetermined recipients. If you are not the intended recipient, you are hereby notified that any review, further dissemination, distribution or duplication of this communication IS STRICTLY FORBIDDEN. Please delete and/or destroy all copies of this message after notifying JICL IT of the error by reply emailadmin@journeystn.org or calling 615-890-4389.

Journeys in Community Living now uses Microsoft Information Protection and other traditional methods to secure its emails and documents. Please contact JICL IT admin@journeystn.org if you have trouble viewing or opening a document sent from Journeys' employees.

Had this issue on RHEL 8.3_64 using rsyslog8
Can confirm just a config issue on the agent server

• rsyslog will receive Cisco ASA UDP/514 syslogs fine
• UDP is passed by rsyslog to OMSagent on TCP 25226
• We also for ward Checkpoint logexporter logs to TCP/514 on same agent

To listen on both TCP and UDP add below to rsyslogd.conf
$ModLoad imtcp
$ModLoad imudp

Make sure these sure firewall is in place
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 25226 -j ACCEPT
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 514 -j ACCEPT
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p udp --dport 514 -j ACCEPT
Relax SElinux in /etc/selinux/config as will break OMSAgent
Make sure OMS agent egress via your proxy /etc/opt/microsoft/omsagent/proxy.conf