The below are the high level steps to configure squid syslog to Microsoft Cloud App security using the CASCollector (an ubuntu vm which runs on Azure\Hyper-V\AWS)
Install CAS Collector
Follow steps here: https://docs.microsoft.com/en-gb/cloud-app-security/discovery-docker-ubuntu-azure
Summary of commands below which are run on the CASCollector Ubuntu server
sudo -i
curl -o /tmp/MCASInstallDocker.sh https://adaprodconsole.blob.core.windows.net/public-files/MCASInstallDocker.sh && chmod +x /tmp/MCASInstallDocker.sh; /tmp/MCASInstallDocker.sh
(echo cb83b3f208347603e38ea2816c7503ec257159001225001c2b8efa6e06f49951) | docker run –name CASLogCollector -p 514:514/udp -p 21:21 -p 20000-20099:20000-20099 -e “PUBLICIP=’10.10.10.12′” -e “PROXY=” -e “SYSLOG=true” -e “CONSOLE=cas.eu2.portal.cloudappsecurity.com” -e “COLLECTOR=CASLogCollector” –security-opt apparmor:unconfined –cap-add=SYS_ADMIN –restart unless-stopped -a stdin -i microsoft/caslogcollector starter
sudo docker logs UKADLogCollector
Confirm it is running
Install IP Traffic monitor (to review incoming syslogs)
On the CASCollector Ubuntu server
Sudo apt-get install iptraf
Setup SQUID (note squid 2.7 at minimum is required for syslog support)
Open Squid.config and make sure the following 2 entries exist
access_log C:/ClientSiteProxy/var/logs/access.log squid
access_log udp://172.18.1.150:514 squid
Save the file and then restart the squid service
The “squid” value at the end of the path sets the format to native, Microsoft CAS (out of the box) supports Native and Common, customised formats can be created but we are keeping this simple.
Make sure the CAS data source is selected with the format Squid (Native)
Troubleshooting
Review “sudo iptraf” network traffic and confirm you can see the incoming UDP traffic on the log collector
Review the governance logs from the CAS portal (gear icon > governance log)
Install a separate syslog receiver test tool (confirm syslog traffic is appearing)
Install a separate syslog transmitter test tool (confirm syslog udp traffic is appearing)
NB: this article relates to squid 2.7 or above and Symantec client site proxy (was known as messagelabs)