About Security Analytics and Logging (SAL SaaS) for the ASA

Security Analytics and Logging (SaaS) allows you to capture all syslog events and Netflow Secure Event Logging (NSEL) from your ASA and view them in one place in Security Cloud Control.

The events are stored in the Cisco cloud and viewable from the Event Logging page in Security Cloud Control where you can filter and review them to gain a clear understanding of what security rules are triggering in your network. The Logging and Troubleshooting package gives you these capabilities.

With the Logging Analytics and Detection package (formerly Firewall Analytics and Logging package), the system can apply Secure Cloud Analytics dynamic entity modeling to your FTD events, and use behavioral modeling analytics to generate Secure Cloud Analytics observations and alerts. If you obtain a Total Network Analytics and Monitoring package, the system applies dynamic entity modeling to both your FTD events and your network traffic, and generates observations and alerts. You can cross-launch from Security Cloud Control to a Secure Cloud Analytics portal provisioned for you, using Cisco Single Sign-On.

How ASA Events are Displayed in the Security Cloud Control Events Viewer

Syslog events and NSEL events are generated when logging is enabled on the ASA, and network traffic matches access control rule criteria. After the events are stored in the Cisco cloud, you can view them in Security Cloud Control.

You can install multiple Secure Event Connectors (SECs) and send events generated by a rule, on any device, to any of the SECs as if it were a syslog server. The SEC then forwards the event to the Cisco cloud. Do not forward the same events to all of your SECs. You will be duplicating the events sent to the Cisco cloud and needlessly inflate your daily ingest rate.

How Syslog and NSEL Events are Sent from an ASA to the Cisco Cloud by way of the Secure Event Connector

With the basic Logging and Troubleshooting license, this is how an ASA event reaches the Cisco cloud:

  1. You onboard your ASA to Security Cloud Control using username and password.

  2. You configure the ASA to forward syslog and NSEL events to any one of your SECs as if they were syslog servers and enable logging on the device.

  3. The SEC forwards the events to the Cisco cloud where the events are stored.

  4. Security Cloud Control displays events from the Cisco cloud in the Event Logging page based on the filters you set.

With the Logging Analytics and Detection or Total Network Analytics and Monitoring license, the following also occur:

  1. Cisco Secure Cloud Analytics applies analytics to the ASA syslog events stored in the Cisco cloud.

  2. Generated observations and alerts are accessible from the Secure Cloud Analytics portal associated with your Security Cloud Control portal.

  3. From the Security Cloud Control portal, you can cross-launch your Secure Cloud Analytics portal to review these observations and alerts.

Componets Used in the Solution

Secure Device Connector (SDC)-The SDC connects Security Cloud Control to your ASAs. The login credentials for the ASA are stored on the SDC.

See Secure Device Connector for more information.

Secure Event Connector (SEC)-The SEC is an application that receives events from your ASAs and forwards them to the Cisco cloud. Once in the Cisco cloud, you can view the events on Security Cloud Control's Event Logging page or analyze them with Secure Cloud Analytics. Depending on your environment, the SEC is installed on a Secure Device Connector, if you have one; or on its own Security Cloud Control Connector virtual machine that you maintain in your network. See About Secure Event Connectors for more information.

Adaptive Security Appliance (ASA)-The ASA provides advanced stateful firewall and VPN concentrator functionality as well as integrated services with add-on modules. The ASA includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), clustering (combining multiple firewalls into a single firewall), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, advanced inspection engines, IPsec VPN, SSL VPN, and clientless SSL VPN support, and many more features.

Secure Cloud Analytics applies dynamic entity modeling to ASA events, generating detections based on this information. This provides a deeper analysis of telemetry gathered from your network, allowing you to identify trends and examine anomalous behavior in your network traffic. You would make use of this service if you have a Logging Analytics and Detection or Total Network Analytics and Monitoring license.

Licensing

To configure this solution you need the following accounts and licenses:

  • Security Cloud Control: You must have a Security Cloud Control tenant.

  • Secure Device Connector: There is no separate license for a Secure Device Connector.

  • Secure Event Connector: There is no separate license for a Secure Event Connector.

  • Secure Logging Analytics (SaaS): See Security Analytics and Logging Licenses.

  • Adaptive Security Appliance (ASA): Base license or higher.

Next Step

Go to Implementing Secure Logging Analytics (SaaS) for ASA Devices