Integrate Cisco Adaptive Security Appliance with the Security Data Lake
    • 20 Aug 2025
    • 3 Minutes to read
    • PDF

    Integrate Cisco Adaptive Security Appliance with the Security Data Lake

    • PDF

    Article summary

    Cisco Adaptive Security Appliance (ASA) is a popular legacy firewall solution from Cisco. Data from your Cisco ASA integrations is stored and searchable from the Security Data Lake when the “syslog” ingest method is selected.

    How does it work?

    This ingest method works by creating a Red Canary-managed syslog server that you can use to receive logs from Cisco ASA. You will be provided the fully qualified hostname and port of the syslog server to which you will point your Cisco appliance. Authentication is handled via TLS.

    By integrating your security logs with the Red Canary Security Data Lake, you can meet data retention requirements, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate Cisco ASA with Red Canary, follow the procedure below from beginning to end.

    Prerequisites

    Before you start the syslog integration, please make sure the following requirements are met:

    1. You have an active Red Canary Security Data Lake license.

    2. You have appropriate admin permissions to make configuration changes in Cisco ASA.

    1 | Red Canary | Add a new data lake integration

    1. From your Red Canary homepage, navigate to Integrations and click Add Integration.

    2. In the modal that appears, search for “Cisco Adaptive Security Appliance”. When the tile appears, click Configure.

    3. Enter a name for your integration.

    4. Choose how Red Canary will receive this data:

      1. Under Ingest Format / Method, select Cisco Adaptive Security Appliance via Syslog.

      2. Click the Next button.

    5. Configure Red Canary to retrieve data from this integration:

      1. Click the Provision button.

      2. This will save and activate your integration. If successful, you should get a “Collector provisioned successfully” notification.

      3. Under Send data to Red Canary, there will be a URL and Port that you can use to set up log forwarding in your external data source. Copy and save these values. You will use them in a later step.

      4. Check I’ve configured this integration to send data to Red Canary.

      5. Under Configure transport encryption, leave the default selection for now.

      6. Click the Next button.

    6. Customize how this data is retained:

      1. Specify the desired data retention period in days.

    7. Click Save.

    2 | Cisco ASA | Configure log forwarding

    1. From Cisco ASA, set up log forwarding using the URL and Port values noted in the previous section.

    2. For detailed instructions on how to set up syslog forwarding for ASA devices using the Adaptive Security Device Manager (ASDM), refer to the Cisco documentation.

      1. When configuring syslog message settings:

        1. Make sure that Include timestamp in syslogs is checked.

        2. The selected Timestamp Format is “RFC 5424 (yyyy-MM-ddTHH:mm:ssZ)”.

        3. Make sure Enable Syslog Device ID is checked and “Host Name” is selected under the type of ID.

      2. When configuring the syslog server settings:

        1. Make sure that ASA is configured to send logs via TCP (not UDP), and that Enable secure syslog with SSL/TLS is selected.

        2. Make sure that Allow user traffic to pass when TCP syslog server is down is selected.

        1. Make sure the appropriate Certificate Authority (CA) root certificate is uploaded. If you did not configure a custom TLS certificate earlier, you will need to install the ISRG Root X1 certificate. You can download the ISRG Root X1 .pem certificate and upload it to Cisco manually.

    What fields are available when querying Cisco ASA?

    All Security Data Lake sources include a set of metadata columns — data generated by Red Canary at time of ingest. These always begin with rc_:

    Column Name

    Data Type

    Description

    rc_id

    String

    Internal row identifier.

    rc_customer_id

    String

    Red Canary subdomain name.

    rc_source_id

    String

    Internal source identifier.

    rc_format

    String

    Internal source type.

    rc_source_file

    String

    Internal file name.

    rc_source_file_line_number

    Numeric

    Internal file line number.

    rc_ingested_at

    Timestamp

    Red Canary ingestion date (UTC).

    rc_created_at

    Timestamp

    Red Canary creation date (UTC).

    rc_timestamp

    Timestamp

    Red Canary ingestion date (UTC).

    Cisco ASA sources will also include a set of columns parsed from the original syslog message.

    Column Name

    Data Type

    Description

    timestamp

    Timestamp

    Timestamp from the syslog record (if available). If a time zone is not provided as part of the timestamp, this will default to UTC.

    pri

    Numeric

    Priority/severity.

    host

    String

    Source hostname/IP address.

    ident

    String

    Source application.

    pid

    String

    Process ID.

    message

    String

    Message body.

    msgid

    String

    Type of message (if specified by source application).

    extradata

    String

    “Structured Data” elements.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.