- 20 Aug 2025
- 3 Minutes to read
- PDF
Integrate Cisco Adaptive Security Appliance with the Security Data Lake
- Updated on 20 Aug 2025
- 3 Minutes to read
- PDF
Cisco Adaptive Security Appliance (ASA) is a popular legacy firewall solution from Cisco. Data from your Cisco ASA integrations is stored and searchable from the Security Data Lake when the “syslog” ingest method is selected.
How does it work?
This ingest method works by creating a Red Canary-managed syslog server that you can use to receive logs from Cisco ASA. You will be provided the fully qualified hostname and port of the syslog server to which you will point your Cisco appliance. Authentication is handled via TLS.
By integrating your security logs with the Red Canary Security Data Lake, you can meet data retention requirements, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate Cisco ASA with Red Canary, follow the procedure below from beginning to end.
Prerequisites
Before you start the syslog integration, please make sure the following requirements are met:
You have an active Red Canary Security Data Lake license.
You have appropriate admin permissions to make configuration changes in Cisco ASA.
1 | Red Canary | Add a new data lake integration
From your Red Canary homepage, navigate to Integrations and click Add Integration.
In the modal that appears, search for “Cisco Adaptive Security Appliance”. When the tile appears, click Configure.
Enter a name for your integration.
Choose how Red Canary will receive this data:
Under Ingest Format / Method, select Cisco Adaptive Security Appliance via Syslog.
Click the Next button.
Configure Red Canary to retrieve data from this integration:
Click the Provision button.
This will save and activate your integration. If successful, you should get a “Collector provisioned successfully” notification.
Under Send data to Red Canary, there will be a URL and Port that you can use to set up log forwarding in your external data source. Copy and save these values. You will use them in a later step.
Check I’ve configured this integration to send data to Red Canary.
Under Configure transport encryption, leave the default selection for now.
Click the Next button.
Customize how this data is retained:
Specify the desired data retention period in days.
Click Save.
2 | Cisco ASA | Configure log forwarding
From Cisco ASA, set up log forwarding using the URL and Port values noted in the previous section.
For detailed instructions on how to set up syslog forwarding for ASA devices using the Adaptive Security Device Manager (ASDM), refer to the Cisco documentation.
When configuring syslog message settings:
Make sure that Include timestamp in syslogs is checked.
The selected Timestamp Format is “RFC 5424 (yyyy-MM-ddTHH:mm:ssZ)”.
Make sure Enable Syslog Device ID is checked and “Host Name” is selected under the type of ID.
When configuring the syslog server settings:
Make sure that ASA is configured to send logs via TCP (not UDP), and that Enable secure syslog with SSL/TLS is selected.
Make sure that Allow user traffic to pass when TCP syslog server is down is selected.
Make sure the appropriate Certificate Authority (CA) root certificate is uploaded. If you did not configure a custom TLS certificate earlier, you will need to install the ISRG Root X1 certificate. You can download the ISRG Root X1
.pem
certificate and upload it to Cisco manually.
What fields are available when querying Cisco ASA?
All Security Data Lake sources include a set of metadata columns — data generated by Red Canary at time of ingest. These always begin with rc_
:
Column Name | Data Type | Description |
---|---|---|
| String | Internal row identifier. |
| String | Red Canary subdomain name. |
| String | Internal source identifier. |
| String | Internal source type. |
| String | Internal file name. |
| Numeric | Internal file line number. |
| Timestamp | Red Canary ingestion date (UTC). |
| Timestamp | Red Canary creation date (UTC). |
| Timestamp | Red Canary ingestion date (UTC). |
Cisco ASA sources will also include a set of columns parsed from the original syslog message.
Column Name | Data Type | Description |
---|---|---|
| Timestamp | Timestamp from the syslog record (if available). If a time zone is not provided as part of the timestamp, this will default to UTC. |
| Numeric | Priority/severity. |
| String | Source hostname/IP address. |
| String | Source application. |
| String | Process ID. |
| String | Message body. |
| String | Type of message (if specified by source application). |
| String | “Structured Data” elements. |