Skip to content

So ps #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
flowcompro wants to merge 13 commits into
base: main
Choose a base branch
from
Open

So ps #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
7a9708d
Rename Zabbix admin SOP to Zabbix admin SOP
flowcompro Jun 23, 2024
c45d56e
Update SOC Sop
flowcompro Jun 23, 2024
eab196c
Create Kape SOP
flowcompro Sep 11, 2024
e024d18
Create Endgame SOP
flowcompro Sep 11, 2024
1870d5b
Create CRIBL INSTALL SOP
flowcompro Sep 13, 2024
fdef053
Create Cribl SOP
flowcompro Sep 13, 2024
8193bbf
Create Records Management SOP
flowcompro Oct 3, 2024
d0fe7da
Create Wazuh SOP
flowcompro Oct 10, 2024
559867d
Add files via upload
flowcompro Nov 20, 2024
1c67db1
Add files via upload
flowcompro Nov 20, 2024
4cf7f45
Create Busybox initramfs fsck
flowcompro Dec 11, 2024
6318eb2
Create ASA Syslog to wazuh SOP
flowcompro Jan 30, 2026
93973f4
Create add vlanv14 script runnbook
flowcompro Feb 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
223 changes: 223 additions & 0 deletions ASA Syslog to wazuh SOP
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
SOP

Title: Forwarding Cisco ASA Syslog Events to Wazuh SIEM
Document Type: Standard Operating Procedure
Audience: SOC Analysts, Network Engineers, Security Engineers
Purpose:
To document the configuration and validation steps required to send Cisco ASA syslog messages to a Wazuh Manager for centralized logging, analysis, and alerting.

1. Scope

This SOP covers:

Cisco ASA syslog configuration

Transport of syslog messages over TCP

Linux rsyslog handling on the Wazuh server

Wazuh log ingestion via logcollector

Verification of log visibility and alerts in Wazuh

This procedure assumes the Wazuh Manager is deployed on Linux and reachable from the ASA.

2. Architecture Overview

Cisco ASA generates syslog messages

Syslog Transport: TCP port 1516

Receiver: rsyslog on the Wazuh Manager

Log File: /var/log/asa/asa.log

Wazuh Component: wazuh-logcollector

Analysis Engine: wazuh-analysisd

Visualization: Wazuh Dashboard (OpenSearch)

3. Prerequisites
3.1 Network Requirements

ASA must be able to reach the Wazuh Manager IP

TCP port 1516 allowed between ASA and Wazuh

No intermediate firewall blocking syslog traffic

3.2 System Requirements

Wazuh Manager installed and running

rsyslog installed and enabled on Wazuh server

Root or sudo access on Wazuh server

CLI access to Cisco ASA

4. Cisco ASA Configuration
4.1 Enable Syslog Logging

On the Cisco ASA CLI:

logging enable
logging timestamp
logging trap informational


This enables logging and sets the severity level.

4.2 Configure Remote Syslog Server
logging host inside 10.192.30.95 tcp/1516


inside is the ASA interface used to reach the Wazuh server

10.192.30.95 is the Wazuh Manager IP

TCP is used for reliable delivery

4.3 Verify ASA Syslog Status
show logging | include 10.192.30.95


Expected output example:

Logging to Servers 10.192.30.95 tcp/1516 Connected TX:102759


This confirms the ASA is actively sending logs.

5. Wazuh Server Configuration
5.1 rsyslog Listener Configuration

Ensure rsyslog is listening on TCP port 1516.

Example rsyslog configuration snippet:

module(load="imtcp")
input(type="imtcp" port="1516")

$template ASAFormat,"/var/log/asa/asa.log"
if $fromhost-ip == '10.192.30.1' then ?ASAFormat
& stop


Restart rsyslog:

sudo systemctl restart rsyslog

5.2 Verify rsyslog Is Listening
sudo ss -lntp | grep 1516


Expected output:

LISTEN 0 25 0.0.0.0:1516 users:(("rsyslogd",pid=XXXX))

5.3 Verify ASA Log File Population
sudo tail -f /var/log/asa/asa.log


You should see live ASA messages such as:

%ASA-6-305011: Built dynamic TCP translation...

6. Wazuh Configuration
6.1 Configure Log Collection

Edit the Wazuh configuration file:

sudo nano /var/ossec/etc/ossec.conf


Add or verify the following localfile block exists once:

<localfile>
<log_format>syslog</log_format>
<location>/var/log/asa/asa.log</location>
</localfile>

6.2 Restart Wazuh Manager
sudo systemctl restart wazuh-manager


Verify status:

sudo systemctl status wazuh-manager


Expected state:

Active: active (running)

6.3 Confirm Logcollector Activity
sudo grep "Analyzing file: '/var/log/asa/asa.log'" /var/ossec/logs/ossec.log


Expected output:

wazuh-logcollector: INFO: (1950): Analyzing file: '/var/log/asa/asa.log'

7. Validation and Verification
7.1 Confirm Alerts Are Generated
sudo tail -n 20 /var/ossec/logs/alerts/alerts.json | grep asa.log


Expected fields:

"decoder":"cisco-ios"

"groups":["syslog","cisco_ios"]

"location":"/var/log/asa/asa.log"

7.2 Verify in Wazuh Dashboard

In the Wazuh Web UI:

Navigate to Security Events

Use index pattern:

wazuh-alerts-*


Apply filter:

data.cisco.facility : "ASA"


Confirm ASA events are visible and updating

8. Troubleshooting Notes
Symptom Action
ASA connected but no logs Check rsyslog listener and file permissions
Log file exists but no alerts Verify Wazuh localfile entry
Duplicate alerts Check for duplicate localfile blocks
TCP connection drops Verify ASA interface and routing
9. Security and Best Practices

Prefer TCP syslog over UDP for reliability

Restrict syslog port exposure using firewall rules

Monitor log volume to avoid disk exhaustion

Periodically review ASA rule mappings in Wazuh

10. Outcome

At completion of this SOP:

Cisco ASA syslogs are reliably sent to Wazuh

Logs are parsed using Cisco IOS decoders

Security alerts are generated and visible in dashboards

Centralized monitoring of firewall activity is achieved

If you want, next we can:
62 changes: 62 additions & 0 deletions Busybox initramfs fsck
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
If you're in BusyBox, it's likely because the system dropped into an initramfs shell due to a problem with the root filesystem. You can run `fsck` from BusyBox to attempt repairs. Here's what to do:

---

### **Steps to Run `fsck` in BusyBox**:

1. **Identify the Filesystem**:
- First, determine the root partition device:
```bash
ls /dev
```
- Common root partition names are `/dev/sda1`, `/dev/nvme0n1p1`, or similar.

2. **Run `fsck`**:
- Use the following command to check and repair the filesystem:
```bash
fsck /dev/sdX
```
Replace `/dev/sdX` with your actual root partition name.

- If you want `fsck` to automatically fix errors, add the `-y` flag:
```bash
fsck -y /dev/sdX
```

3. **Reboot**:
- Once `fsck` completes, reboot the system:
```bash
reboot
```

---

### **If You're Unsure of the Root Partition**:
1. **Check for Available Partitions**:
- Run:
```bash
blkid
```
This lists available partitions and their types.

2. **Mount Partitions to Confirm**:
- If unsure which partition is the root filesystem, you can try mounting them:
```bash
mount /dev/sdX /mnt
ls /mnt
```
- Check for familiar directories like `etc`, `usr`, `var`, etc.

- Unmount after verification:
```bash
umount /mnt
```

3. **Retry `fsck`**:
- Once you've identified the correct partition, run `fsck` as above.

---

### **If the Problem Persists**:
1. Boot from a live USB and run `fsck` from there. This method ensures the root filesystem is unmounted and avoids further issues.
2. To access the BusyBox shell, check for logs or use tools like `dmesg` to investigate what caused the system to drop into initramfs.
Binary file added CONTOSO01LABS Connection policy.docx
View file
Open in desktop
Binary file not shown.
Loading