Understanding Cisco ASA CEF Flow

[Demondep]

Hoping someone can point me in the right direction...

I'm trying to figure out exactly how Cisco ASA messages, brought into the OMS Agent, actually become CEF formatted.

I know this happens by forwarding them to port 25226, which is using security_agent.conf. I'm using the standard one:

  type syslog
  port 25226
  bind 127.0.0.1
  time_format %b %d %H:%M:%S
  protocol_type tcp
  tag oms.security
  format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
  <parse>
     message_format auto
  </parse>

<filter oms.security.**>
 type filter_syslog_security
</filter>

That 'format' line will break up an ASA message into 4 fields (time, host, ident, message). From there /opt/microsoft/omsagent/plugin/filter_syslog_security.rb comes into play. That will take the messages, and produce a structure including Timestamp, EventTime, Message, Facility, Severity, Host. Individual messages seems to be wrapped in a larger structure that looks like:

{"DataType"=>"SECURITY_CISCO_ASA_BLOB", "IPName"=>"Security", "DataItems"=>[ (Individual Logs ]}

Ok. It's at this point it looks like the OMS agent is done, and sends off the logs. All the documentation gets really grey at this point. Where is this data structure getting turned into CEF, prior to it ending up in the CommonSecurityLog table?

Is it within the OMSAgent somewhere? Is it on the Azure side?

[8yumzy88]

It doesn't get transformed to CEF anywhere -- you need to change the syslog settings on your ASAs to output in CEF format.