This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 85%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Hi there,
We are looking to onboard Cisco ASA logs into Microsoft Sentinel. Currently the Cisco ASA integration guide (linked below) on Microsoft Docs is referencing using the old MMA agent to get these logs onboarded. As this agent is being deprecated in Aug 2024, we would rather not use the old MMA agent and then have to revisit this later on.
The problem is that the Cisco ASA data connector in Sentinel is utilising the CommonSecurityLog table. My understanding is that the MMA agent converted the syslogs into CEF and forwarded them to Sentinel in the CommonSecurityLog table, but that the AMA agent doesn't do this, therefore the logs are being sent to the syslog table.
My question is if anyone knows if Microsoft are working on an updated solution for Cisco ASA logs using the AMA agent, or if anyone has a work-around to get the Cisco ASA logs into sentinel in the correct format needed for the Data Connector, again, using the AMA agent.
Note: Cisco ASA doesn't support CEF so it sends in syslog.
https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-asa
Thanks in advance
Let me do some digging internally...if nobody provides something sooner.
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
There is an AMA version currently undergoing private preview to be released in the near future. Sorry, no specific ETA at this time.
Thank you for looking into it Andrew!
The new AMA version seems to have been released. Problem solved, thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 35%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hello, what is the status (it's end of November now)?
Ciso ASA can still send (plain) syslog (no CEF) only.
We have ARC+AMA installed an a linux rsyslog-connector.
Forwarding incomming syslog to Log Analytic Workspace is running, table "Syslog" receives events.
So far, so good. ->
BUT, we would like to have a kind of "parser" to write incomming syslog text in a structured way into table "CommonSecurityLog".
Is there a detailed description for exactly that purpose to enable DataCollectionRule(DCR) for transformation, like mentioned in https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-transformations ?
It would really be helpful as long as there is no new Cisca ASA Connector available for AMA.
Thank you for your time and patience on this and I apologize for the delayed response!
Adding onto what was shared by Andrew, I understand that you're trying to onboard Cisco ASA logs into Microsoft Sentinel and want to use the most recent / up to date connector to avoid any migrations in the future. To hopefully help point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
When it comes to workarounds for sending Cisco ASA Syslog's, you can look into forwarding your Syslog data to a Log Analytics workspace with Microsoft Sentinel by using the Azure Monitor Agent. For more info.
Additional Links:
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
Hi James, thank for you taking the time to respond. It seems Microsoft have now released a solution for my issue so this is no longer a problem
Thank you for following up on this and I'm glad that the solution released resolved your issue!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Cisco ASA doesn't sent CEF; only plain syslog.
As long as there a hundret thousends of Cisco ASAs still installed worldwide it is highly appriciatet to have a proper Connector to get the data into Sentinel (into the "CommomSecurityLog" table, for a lot of Analytic Rules depend on finding Firewall data there)!
Please be so kind to support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 44%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Hello,
I have been dealing with a similar issue.... ASA only sends syslog, not CEF.... we are able to collect the ASA into the Syslog table via AMA, however, parsing the data has been a nightmare.
Has anyone else reported this prior?
Just wanted to add for anyone else looking for this. The new connector is now available which uses AMA but is in preview.
https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-asa-ftd-via-ama
The connector creates a data collection rule which uses the "Microsoft-CiscoAsa" log stream format, which seems to do the conversion - same as the legacy agent.