Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2406
Views
0
Helpful
2
Replies

Cisco Prime Integration into SIEM

Go to solution
Peter Long
Level 1
Level 1

‎05-08-2014 02:43 AM - edited ‎02-21-2020 05:10 AM

Hi

I'm about to deploy 2x ASA5585-X Firewalls (with AVC and WSE). Management and configuration will be done via PRSM.

The client has read (I don't know where, I cant find any corroboration), that the information (user tracking, exceptions, etc) that AVC and WSE log to PRSM is in a proprietary format.

We are also deploying an SIEM solution (LogRhythm) and the ASA's will be exporting syslogs into that solution.

My Questions are;

1. Will the WSE and AVC events also be logged to Syslog? Is there a reference for the corresponding syslog message ID?

2. If not will PRSM export that information into SIEM? If so how?

 

Thanks

Pete

www.petenetlive.com 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-08-2014 05:08 AM

The AVC/WSE events are sent to PRSM via a proprietary format - the collateral I have seen describes it as "reliable binary logging". I'd compare it to SDEE as used by the legacy IPS sensors. The events are not reflected as ASA syslog messages,

PRSM is positioned as the top level collector of those logs. It does not have any provision for external SIEM integration. It's reports are either viewed via PRSM itself or via a manually generated PDF.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-08-2014 05:08 AM

The AVC/WSE events are sent to PRSM via a proprietary format - the collateral I have seen describes it as "reliable binary logging". I'd compare it to SDEE as used by the legacy IPS sensors. The events are not reflected as ASA syslog messages,

PRSM is positioned as the top level collector of those logs. It does not have any provision for external SIEM integration. It's reports are either viewed via PRSM itself or via a manually generated PDF.

0 Helpful

Go to solution
Peter Long
Level 1
Level 1
In response to Marvin Rhoads

‎05-08-2014 05:38 AM

Hi Marvin,

While its not what I wanted to hear, sometimes the answer is 'it can't be done', unfortunately. As Cisco ISE integration with SIEM is so good (depending on the SIEM vendor!) Maybe that will change in the future. At least now I'm armed with some more information.

Thanks for you time, I hope I get to return the favour some day.

Regards Pete (www.petenetlive.com)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card