1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. Cisco

Cisco ASA (via Syslog) Setup for Workbench

This guide enables onboarding via a direct API connection. If you wish to onboard via a SIEM, see Cisco ASA (via SIEM) Setup for Workbench.

This integration leverages the Cisco Adaptive Security Device Manager (ASDM) and Transport Layer Security (TLS) encryption to enable the connection.

Scope and Limitations

When choosing to set up this integration, remember the following:

  • Health checks are not yet supported for this type of device. For more information about device health, see Security Device Health.

Prerequisites

  • You must have sufficient admin access in Cisco to make changes to ASA appliances.
  • You must install OpenSSL, if it is not already installed.
  • You must confirm within ASDM that there is a management interface and another interface for firewall traffic. You will be working only in the management interface during your onboarding.
    • You can check on your interfaces by navigating to Configuration > Device Setup > Interface Settings > Interfaces.
  • You must know the gateway IP for your next-hop router (used by the Cisco ASA to reach external networks).

Quick Links

Setup includes the following steps (select any step for detailed instructions):

  1. Create a Local Folder
  2. Add Cisco ASA (via Syslog) as a Security Device in Workbench
  3. Prepare the Cryptographic Certificates
  4. Prepare the ASDM Certificates
  5. Configure Network Access
  6. Configure Logging
  7. Verify the Connection

Step 1: Create a Local Folder

This folder will house your certificate files. You will need to run a single command on all files in a later step, so they must all be in the same location.

  1. Create a local folder with a name of your choosing.
  2. Download the root_ca.txt file and save it to your newly created local folder; this is your root certificate.
    • You will add some additional files to this folder in an upcoming step.

Step 2: Add Cisco ASA (via Syslog) as a Security Device in Workbench

The next step is to add a Cisco ASA (via Syslog) security device in Workbench so that you can generate and copy the necessary TLS keys, which you will need for your TLS certificate.

  1. Log in to Workbench.
  2. In the side menu, navigate to Organization Settings > Security Devices. If you have multiple organizations, you must select the appropriate organization name from the list.
  3. Select Add Security Device.
  4. In the search box, type “Cisco” and then select the Cisco ASA (via Syslog) integration.
  5. Complete the fields as follows:
    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName Cisco ASA_Syslog”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
    • All other fields are not editable (these fields will contain your newly generated keys after the device is saved).
  6. Select Save.
  7. Select No thanks, I will not provide console access from the console access dropdown.
  8. Select Save.
  9. You will see a message indicating your connection credentials are being generated. Select Done.
  10. Locate your new device in the list of security devices.
  11. Use the menu beside the device name to view the device details. If you need help with this step, see Manage Security Devices.
  12. Copy and save the Syslog endpoint IDP.
    • You will need this value to complete several future steps. Most steps will ask you to remove the port from this value first, but there is a step that asks for only the port (so make sure you know it).
  13. Keep the device details open while you move to the next step, so that you can easily copy/paste the TLS client public key and TLS client private key.

Step 3: Prepare the Cryptographic Certificates

You will set up two different cryptographic certificates - a TLS certificate and a P12 certificate - to securely authenticate the firewall and encrypt all log traffic, ensuring your logs cannot be intercepted or modified in transit.

Step 1: Create the TLS Certificate

TLS encryption is required for syslog forwarding on the Cisco ASA. In this step, you will create the required certificate and key files using the values provided by Workbench in the previous step. These files represent the identity of your device and are required to establish a secure TLS session.

  1. Open a text editor (such as Notepad).
  2. Copy and paste in the following two values, and save them as two separate files in the local folder that contains your root certificate. Make sure to include any surrounding text such as -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
    • TLS client public key - save the file as "certificate.crt"
    • TLS client private key - save the file as "private.key"
  3. Close the device details in Workbench.
  4. Verify that your local folder now has all three files:
    • root_ca.txt
    • certificate.crt
    • private.key

Step 2: Generate the P12 Certificate

The P12 certificate bundles the public certificate and private key into a single, password-protected file format that Cisco ASDM can import. This format simplifies certificate management and ensures compatibility with Cisco’s identity certificate requirements. Before you begin, make sure you have OpenSSL installed.

  1. Open Command Prompt if using Windows, or Terminal if using MacOS or Linux.
  2. Use the cd <path_to_folder> command to navigate to your local folder.

  3. Run the following command to generate the P12 file:

    openssl pkcs12 -export -out client.p12 -inkey private.key -in certificate.crt
  4. Enter a new Export password and press Enter (you will be asked to reenter this password a second time to verify it). Make a note of this password, as you will need it in the next step.
  5. Verify that the client.p12 file was created in the local folder. 

Step 4: Prepare the ADSM Certificates

You will configure the Cisco ASA device using ASDM, which requires an Identity certificate and a CA certificate. Before you begin, make sure you know the Export password you entered when you generated the P12 file.

Note

For this section and all remaining sections in this guide, each step builds upon the previous one to ensure the device is fully prepared for encrypted log transmission.

Step 1: Add the Identity Certificate

The identity certificate uniquely represents the firewall, and is used during the TLS handshake to prove its authenticity to the syslog server.

  1. Open ASDM.
  2. Select the Configuration tab at the top.
  3. Select Device Management.
  4. Navigate to Certificate Management > Identity Certificates.
  5. Select Add.
  6. For the new certificate:
    • Enter a name of your choosing as the Trustpoint Name, or use "expel_identity."
    • Leave the Import the identity certificate from a file radio button selected
    • Enter the Export password you chose when you generated the client.p12 file as the Decryption Passphrase.
    • Browse for the client.p12 file you created in the prior section as the file to import from.
    • Leave the "Enable CA flag in basic constraints extension" checkbox selected.
  7. Select Add Certificate.
  8. Select OK to confirm.

Step 2: Add the CA Certificate

This step installs the root or intermediate CA certificate that signed the syslog server’s certificate. Without this certificate, the ASA would be unable to validate the authenticity of the remote syslog endpoint. 

  1. Still in Certificate Management, navigate to CA Certificates.
  2. Select Add.
  3. For the new certificate:
    • Enter a name of your choosing as the Trustpoint Name, or use "expel_ca"
    • Browse for the root_ca.txt file as the file to import from (leave all options in the screen that displays unchanged).
    • Enter the Export password you chose when you generated the client.p12 file as the Decryption Passphrase.
  4. Select Install Certificate.

Step 3: (Optional) Update SSL Settings

Modifying the SSL settings will associate the newly imported certificate with management and load-balancing services. While this step is not strictly required for syslog forwarding, it ensures consistency across SSL-based services and avoids certificate-related conflicts.

  1. Still in Device Management, navigate to Advanced > SSL Settings.
  2. Scroll down to Certificates.
  3. Select the management row, then select Edit.
  4. Set both your primary and load balancing certificates as the Identity certificate.
  5. Select OK.
  6. Select Apply to save the changes.

Step 5: Configure Network Access

For syslog traffic to reach the external destination, the Cisco ASA must be able to route the traffic correctly and permit it through firewall policies. These steps ensure that both routing and access control rules are properly defined.

Before you begin, make sure you have the syslog endpoint IDP value from Workbench that you saved in Step 1 and that you know your next-hop router IP address (used by the Cisco ASA to reach external networks).

Step 1: Define a Static Route

Without a valid route, the firewall will not know where to send outbound syslog traffic. 

  1. Select Device Setup.
  2. Navigate to Routing > Static Routes.
  3. Select Add.
  4. For the new static route:
    • IP Address Type - leave as IPv4.
    • Interface - select management.
    • Gateway IP - enter your next-hop router IP address (this address must match the format of the existing gateway configured on the ASA, such as "10.0.0.1").
    • Network - select the three dots to browse, and continue to the next step. 
  5. On the Browse Network screen, select Add.
  6. For the new network object:
    • Name - enter a name of your choosing, or use "expel_syslogserver_ip".
    • Type - leave as Host.
    • IP Version - leave as IPv4
    • IP Address - enter the syslog endpoint IDP (without the port) from Step 1.
    • Select OK.
  7. Back on the Browse Network screen, double-click on your newly created network object to select it, and choose OK.
  8. Back on the Add Static Route screen, leave the options as None.
  9. Select Ok.
  10. Select Apply to save changes.

Step 2: Add the ACL and ACE

The Access Control List (ACL) allows outbound communication to the syslog endpoint by explicitly permitting traffic through firewall rules. The ACL acts as a security filter, ensuring that only authorized traffic is allowed. The Access Control Entry (ACE) is the IP address that is applied to the list.

  1. Select Firewall.
  2. Navigate to Advanced > Standard ACL.
  3. Select Add > Add ACL.
  4. Enter a name of your choosing for the ACL, or use "expel_syslogserver_acl".
  5. Select Ok.
  6. Make sure the new ACL is selected, then select Add > Add ACE.
  7. For the new ACE:
    • Action - leave as Permit.
    • Address - enter the syslog endpoint IDP (without the port) from Step 1.
    • Description - leave blank.
  8. Select Ok.
  9. Select Apply to save changes.

Step 6: Configure Logging

You must enable syslog logging on the Cisco ASA, and then configure the secure syslog destination. This process will define how logs are transmitted, which protocol is used, and how encryption is enforced. It will ensure that all logs are sent reliably and securely to Workbench for monitoring and analysis.

Step 1: Verify Logging is Enabled

  1. Select Device Management.
  2. Navigate to Logging > Logging Setup.
  3. Make sure the Enable logging checkbox is selected.

Step 2: Add a Syslog Server

You will add the new server to the management interface.

  1. Still in Logging, navigate to Syslog Servers.
  2. Select Add.
  3. For the new server:
    • Interface - select the management interface.
    • IP Address - enter the syslog endpoint IDP (without the port) from Step 1.
    • Protocol - select TCP.
    • Port - enter the port from the syslog endpoint IDP, and also select the Enable secure syslog using SSL/TLS checkbox.
    • Timestamp - select the checkbox to enable it, and choose the RFC5424 option.
    • Reference Identity - select Manage and continue to the next step.
  4. On the Configure Reference Identity screen, select Add.
  5. For the new reference identity:
    • Reference Name - enter a name of your choosing, or enter "expel_syslog_device".
    • CN Identifier - enter the syslog endpoint IDP (without the port) from Step 1, then select Add to add it.
    • Select Ok.
  6. Select Ok.
  7. Verify that the reference identity name and CN identifier appear as a new row in the Reference Identity list.

Step 3: Edit Logging Filters

Logging filters determine which events are forwarded to the syslog server based on severity. This step helps reduce noise by ensuring that only relevant security events are transmitted, improving both performance and visibility.

  1. Still in Logging, navigate to Logging Filters.
  2. Select the Syslog Servers row, then select Edit.
  3. Choose Filter on severity and select your desired log levels.

  1. Select OK.

Step 7: Verify the Connection

As a final step, contact Support to let us know you have finished your setup. We will then verify the connection on your behalf, and make sure your integration is working properly.

Related articles