Loading

Microsoft Cloud App Security (CAS) and Squid

The below are the high level steps to configure squid syslog to Microsoft Cloud App security using the CASCollector (an ubuntu vm which runs on Azure\Hyper-V\AWS)

Install CAS Collector

Follow steps here: https://docs.microsoft.com/en-gb/cloud-app-security/discovery-docker-ubuntu-azure

Summary of commands below which are run on the CASCollector Ubuntu server

sudo -i

curl -o /tmp/MCASInstallDocker.sh https://adaprodconsole.blob.core.windows.net/public-files/MCASInstallDocker.sh && chmod +x /tmp/MCASInstallDocker.sh; /tmp/MCASInstallDocker.sh

(echo cb83b3f208347603e38ea2816c7503ec257159001225001c2b8efa6e06f49951) | docker run –name CASLogCollector -p 514:514/udp -p 21:21 -p 20000-20099:20000-20099 -e “PUBLICIP=’10.10.10.12′” -e “PROXY=” -e “SYSLOG=true” -e “CONSOLE=cas.eu2.portal.cloudappsecurity.com” -e “COLLECTOR=CASLogCollector” –security-opt apparmor:unconfined –cap-add=SYS_ADMIN –restart unless-stopped -a stdin -i microsoft/caslogcollector starter

sudo docker logs UKADLogCollector

Confirm it is running

Install IP Traffic monitor (to review incoming syslogs)

On the CASCollector Ubuntu server
Sudo apt-get install iptraf

Setup SQUID (note squid 2.7 at minimum is required for syslog support)

Open Squid.config and make sure the following 2 entries exist

access_log C:/ClientSiteProxy/var/logs/access.log squid
access_log udp://172.18.1.150:514 squid

Save the file and then restart the squid service

The “squid” value at the end of the path sets the format to native, Microsoft CAS (out of the box) supports Native and Common, customised formats can be created but we are keeping this simple.

Make sure the CAS data source is selected with the format Squid (Native)

Troubleshooting

Review “sudo iptraf” network traffic and confirm you can see the incoming UDP traffic on the log collector
Review the governance logs from the CAS portal (gear icon > governance log)
Install a separate syslog receiver test tool (confirm syslog traffic is appearing)
Install a separate syslog transmitter test tool (confirm syslog udp traffic is appearing)

NB: this article relates to squid 2.7 or above and Symantec client site proxy (was known as messagelabs)