Document toolboxDocument toolbox

firewall.cisco.asa

Owned by Former user (Deleted)
Last updated: Feb 15, 2022 by Juan Tomás Alonso Nieto (Unlicensed)Version comment
2 min read

Introduction

The tags beginning with firewall.cisco.asa identify events generated by Cisco Adaptive Security Appliance

Valid tags and data tables

The full tag must have 3 levels. The first two are fixed as firewall.cisco. The third level identifies the type of events sent. 

Technology

Brand

Type

firewall

cisco

asa

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

firewall.cisco.asafirewall.cisco.asa

Log samples

The following are sample logs sent to each of the firewall.cisco.asa data tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

firewall.cisco.asa

2022-02-08 18:35:14.829 localhost=127.0.0.1 user.info firewall.cisco.asa: <167>Jan 09 2022 13:16:36 RockfordASA : %ASA-7-710002: UDP access permitted from 192.168.3.4/14856 to inside:192.168.3.254/snmp
2022-02-08 18:35:14.829 localhost=127.0.0.1 user.info firewall.cisco.asa: <163>Jan 09 2022 14:04:51 ARM-ASA5508-01 : %ASA-3-713902: Group = 192.168.3.4, IP = 192.168.3.4, Removing peer from correlator table failed, no match!
2022-02-08 18:35:14.911 localhost=127.0.0.1 user.info firewall.cisco.asa: <166>Jan 09 2022 15:11:53: %ASA-6-113039: Group <Policy-RemoteCorp> User <john.doe> IP <192.168.3.4> AnyConnect parent session started.
2022-02-08 18:35:14.912 localhost=127.0.0.1 user.info firewall.cisco.asa: <166>Jan 07 2022 13:54:35: %ASA-6-713905: Group = 192.168.3.4, IP = 192.168.3.4, Floating NAT-T from 192.168.3.4 port 500 to 192.168.3.4 port 4500
2022-02-08 18:35:14.912 localhost=127.0.0.1 user.info firewall.cisco.asa: <164>Jan 09 2022 14:02:23: %ASA-4-434002: SFR requested to drop TCP packet from inside:10.3.2.1/61726 to outside:10.3.2.2/443

And this is how the log would be parsed:

Field

Value

Type

Source field name

Field transformation

Extra fields

eventdate

2022-02-08 18:35:14.829

timestamp




machine

localhost

str




level

info

str

vlevel



severity

7

int4

priority



eventId

710002

int8




action

null

str

action1

(action1 -> 'Deny' or action1 -> 'denied') ? 'Denied' : action1


direction

null

str




action_type

null

str




protocol

UDP

str

protocol1

(protocol1 -> 'IP') ? 'TCP' : protocol1


ifaceIn

null

str




srcIp

192.168.3.4

ip4




srcPort

14856

int4




srcMac

null

str




ifaceOut

inside

str




dstIp

192.168.3.254

ip4




dstPort

null

int4




type

null

int4




code

null

int4




aclId

null

str




connId

null

str




duration

null

str




bytes

null

int8




bytesXmt

null

int8




bytesRcv

null

int8




reason

null

str




srcXIp

null

ip4




srcXPort

null

int4




dstXIp

null

ip4




dstXPort

null

int4




hitCnt

null

int4




hitInterval

null

str




hashCodes

null

str




fwUserIn

null

str




fwUserOut

null

str




user

null

str




userIP

null

ip4




tcpFlags

null

str




srcSeqId

null

int4




dstXSeqId

null

int4




dstSeqId

null

int4




icmpType

null

int4




icmpCode

null

int4




ipaddr

null

ip4




connection

null

str




dap_details

null

str




ipOptions

null

str




errorMessage

null

str




usrName

null

str




fromLevel

null

int4




toLevel

null

int4




service

snmp

str




authAction

null

str




sessionType

null

str




group


str




groupPolicy

null

str




message

UDP access permitted from 192.168.3.4/14856 to inside:192.168.3.254/snmp

str




running

null

str




executed

null

str




server

null

ip4




publicIp

null

ip4




assignedIpv4

null

ip4




assignedIpv6

null

ip6




filename

null

str




userAgent

null

str




Object

null

str




currentBurstRate

null

int8




currentBurstMaxRate

null

int8




currentAverageRate

null

int8




currentAverageMaxRate

null

int8




cumulativeTotal

null

int8




block_size

null

int4




free_blocks

null

int4




max_blocks

null

int4




attrName

null

str




attrValue

null

str




size

null

int4




offset


int4




device

null

str




state

null

str




connectionsInUse

null

int4




connectionsMostUsed

null

int4




url

null

str




numTries

null

int4




limitType

null

str




limitBytes

null

int8




hdrLen

null

int8




pktLen

null

int8




sessionNumber

null

int4




peerType

null

str




trustPoint

null

str




rawBrand

cisco

str


"cisco"

✓

rawPhylum

asa

str


"asa"

✓

rawFamily


str



✓

rawGenus


str



✓

rawSpecies


str



✓

rawHostName

localhost

str



✓

rawHostIp

127.0.0.1

str



✓

rawMessage

<167>Jan 09 2022 13:16:36 RockfordASA : %ASA-7-710002: UDP access permitted from 192.168.3.4/14856 to inside:192.168.3.254/snmp

str



✓

hostchain

localhost=127.0.0.1

str



✓

tag

firewall.cisco.asa

str


"firewall.cisco.asa"

✓