Hoping someone can point me in the right direction...
I'm trying to figure out exactly how Cisco ASA messages, brought into the OMS Agent, actually become CEF formatted.
I know this happens by forwarding them to port 25226, which is using security_agent.conf. I'm using the standard one:
type syslog
port 25226
bind 127.0.0.1
time_format %b %d %H:%M:%S
protocol_type tcp
tag oms.security
format /(?<time>(?:\w+ +){2,3}(?:\d+:){2}\d+|\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.[\w\-\:\+]{3,12}):?\s*(?:(?<host>[^: ]+) ?:?)?\s*(?<ident>.*CEF.+?(?=0\|)|%ASA[0-9\-]{8,10})\s*:?(?<message>0\|.*|.*)/
<parse>
message_format auto
</parse>
<filter oms.security.**>
type filter_syslog_security
</filter>
That 'format' line will break up an ASA message into 4 fields (time, host, ident, message). From there /opt/microsoft/omsagent/plugin/filter_syslog_security.rb comes into play. That will take the messages, and produce a structure including Timestamp, EventTime, Message, Facility, Severity, Host. Individual messages seems to be wrapped in a larger structure that looks like:
Ok. It's at this point it looks like the OMS agent is done, and sends off the logs. All the documentation gets really grey at this point. Where is this data structure getting turned into CEF, prior to it ending up in the CommonSecurityLog table?
Is it within the OMSAgent somewhere? Is it on the Azure side?
Hoping someone can point me in the right direction...
I'm trying to figure out exactly how Cisco ASA messages, brought into the OMS Agent, actually become CEF formatted.
I know this happens by forwarding them to port 25226, which is using
security_agent.conf
. I'm using the standard one:That 'format' line will break up an ASA message into 4 fields (time, host, ident, message). From there
/opt/microsoft/omsagent/plugin/filter_syslog_security.rb
comes into play. That will take the messages, and produce a structure including Timestamp, EventTime, Message, Facility, Severity, Host. Individual messages seems to be wrapped in a larger structure that looks like:{"DataType"=>"SECURITY_CISCO_ASA_BLOB", "IPName"=>"Security", "DataItems"=>[ (Individual Logs ]}
Ok. It's at this point it looks like the OMS agent is done, and sends off the logs. All the documentation gets really grey at this point. Where is this data structure getting turned into CEF, prior to it ending up in the CommonSecurityLog table?
Is it within the OMSAgent somewhere? Is it on the Azure side?