Estreamer vs syslog from ASA firewalls

kevinmanson · ‎04-27-2018

Do Cisco ASA NGFWs aka X-series and firepower series sending logs to FMC and collecting via estreamer provide equal or greater logging within Splunk over syslog from the ASA?

Meaning everything event visible in syslog can be seen in the estreamer feed in some way.

One of the other concerning issues is the size of the events syslog is 200bytes/event while estreamer is 2000bytes for connection events.

koshyk · ‎05-02-2018

hi Kevin,
I've put a screenshot here. Also put into github with details. Please note, this is from my experience and may have changed

koshyk · ‎04-30-2018

I've a table comparing syslog vs estreamer options. But not sure if I can paste that into splunk answers. Let me try finding a place I can put it or a screenshot

kevinmanson · ‎05-01-2018

Koshyk,

Any luck on being able to send over that table?

koshyk · ‎05-02-2018

i've attached below

Richfez · ‎04-28-2018

Hi, kevinmanson,

Is there a question here that needs answering?

kevinmanson · ‎04-30-2018

Reformatted sentence into question.

Richfez · ‎05-01-2018

Thx. I sort of figured that was the question, but wanted to make sure.

I'm not an expert, and my memory might be foggy, but IIRC the new firewalls we deployed at $job-1 we still collected both data - there were some pieces of estreamer that weren't there even though generally it's a better, higher quality data stream.

I've love to reinvestigate - as I was leaving there we were finally getting the rest of the new FW infrastructure into place, so we'd have ISE, AMP, all NGFWs and a lot of other things. I may ping some folks back there to find out how that went, or maybe give them a hand getting it sorted out.

Estreamer vs syslog from ASA firewalls

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!