| title | Collect data from Cisco firewall devices running ASA |
|---|---|
| description | Use Microsoft Sentinel connectors to collect logs from Cisco firewall devices in Adaptive Security Appliance (ASA) and Common Event Format (CEF) formats. |
| author | guywi-ms |
| ms.date | 03/24/2025 |
| ms.service | microsoft-sentinel |
| ms.author | guywild |
| ms.topic | how-to |
| ms.collection | sentinel-data-connector |
Microsoft Sentinel provides two connectors that collect logs from Cisco Secure Firewall devices, depending on whether the devices run the Firewall Threat Defense (FTD) or Adaptive Security Appliance (ASA) software. This article explains when to use each connector and provides links to installation instructions.
To collect syslog from FTD or ASA devices, use the Cisco ASA/FTD via AMA connector. For information on syslog configuration guidance for Cisco FTD, see the Cisco documentation External Logging Configuration.
To collect CEF logs from a Cisco FTD device:
-
Install and configure the eNcore eStreamer client, which collects logs from FTD devices (via the Firewall Management Center) and converts them to Common Event Format (CEF). For more information, see the full Cisco install guide.
[!NOTE] The eNcore client is no longer being updated, and Cisco recommends the syslog format for new deployments.
-
Install CEF via AMA connector.
Learn more about Microsoft Sentinel data connectors.