Use traffic logs in Cloud App Security

- So here we are back in the Cloud App Security Portal and our last task here is to look at configuring automatic log upload or at least the ability to upload logs from on-premises into Cloud App Security. So, first off we click the gear icon and we go down to log collectors. Now, there were two pieces to this. The first is the data source that we wish to connect to and the second will be the log collector. So, to add the data source, click add data source here we'll then choose from the selection of approved applications and supported. So Cisco applications, SonicWall, Juniper, Microsoft, et cetera. I'm actually going to go back up to here and we'll look for SonicWall. I'm going to give it a name and we'll call it SonicWall as well, then I'm going to specify this as Syslog-TCP. It could be FTP, doesn't really make a difference, but remember that the format that comes back may actually be difference. I'm going to click add, this will then add my data source. So, this is effectively my schema that I wish to connect to. And then going to go to the log collector, which is the actual on-premises piece, where we're going to receive the data from. So I say add log collector, I first go to the data source and choose SonicWall, I can give it a name and we'll call it SonicWall and then I'll put an IP address. Now I'm just making up the IP address here and I'll click update. And what's going to happen is it's going to try and connect and it's going to try and validate that the Sonic wall connection is valid and that the data source is correct. Now, what it didn't do is make a connection to that IP address. But what we now have is this ability to take a command, for example if we're using Docker as the container and execute that directly inside Docker. And then it gives us the FTP credentials to be able to get that specific data into here. So what I can do here is say download and it will export that information as a bunch of CSV files. So we have that information. Now I'm going to close that, it'll complain and say, "Remember to copy it because you need it." So you can say copy if you want to use it and click close. Now I'm not actually going to complete this process because we need to spin up Docker and paste that information in there and connect it together. So what we'll do instead is another way of doing the same thing but more of a manual process is to actually go here to the dashboard, back here to the beginning, expand discover and then choose create snapshot report. I'm going to repeat the process that we did before. So I'm going to call it SonicWall, I don't need a description, but if you notice, when we go to data source, we can then pick the data source that we wish to use. And you'll see all of the ones that we looked at previously are there. So I'm going to say SonicWall. Now what's nice here, is it now tells me to verify the log format. And you can do this by clicking view and verify and it gives you a breakdown of what those values would be. I'm going to click close, you can also then see more information about attributes that could be missing and a message to say, "well, if it's not correct, "then it may not work." I can then say, "Anonymize private information." and then I can click browse and then at this point I can say SonicWall. I'm going to upload that file and then I can click create. Now actually what I'm going to do is change my file. I have a different one I'd like to use, so we use SonicWall log and then I can click create. Now, what this will do is it'll go through and start checking. Then now this what's happened, it says, "A report with the same name already exists." So, that's because we already had one. So that's good because it validates that something hasn't been created previously. So I'm going to call it -1 and click create and then what will happen is it now starts to upload the log files in the format it was in and then what you can see is it appears as SonicWall 1 and then it will sit there saying processing. Now, when this is completed, it will either come back as failed or it will come back as ready. So if you look at the snapshots underneath this, when I click ready, it takes me to the existing snapshot report that was created for the other types of logs that went in. Now, of course, if we go back to here, you can see that we don't have a way to get back to the snapshot report. However, if we go to the dropdown, you can see that any of these successfully created ones are listed here underneath. So, because our SonicWall 1 doesn't exist, means that he has not completed or it actually failed. We can go to the dropdown here as well and from here we can say, "Well, actually I want to create a new one." Or I can then configure the automatic upload of those reports if needed. Now, of course, if you want to get back to them, you notice there was no easy link because we can click through the various options and we don't get anything back, we can cloud up catalog that doesn't show us. What we can actually do, is if we go back to the cloud discovery dashboard and go here, we can click on this little icon where it says, "Snapshot reports." and if you wait for this to load, it will launch a new browser and then it will bring us back to that same place where we originally uploaded and created the snapshot report. And you can see that it's still processing. If I click onto it, it will just say it's processing and passing the log information. Now, this process can take a while, so just be aware that when you execute it, depending on the size of the content, it could take some time to execute. Now, of course, while we're here, we can then go continuous log upload, which was where we configured it and if we then did have the Docker containers configured, we could then go through and configure that piece. So it's fairly straightforward to create this process. You first create the data source that you wish to connect to, which is the supported platform then the log collector and then the two together for on-prem. But if like me, you wanted to create ad hoc one to see what it looks like, we can actually just go to snapshot reports and then manually upload the file from the application such as the Cisco firewall or the Sonic firewall or something else that is supported in Cloud App Security.