Skip to content

Cisco ASA

cisco_asa

About

The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. It provides users with highly secure access to data and network resources - anytime, anywhere, using any device. Cisco ASA devices represent more than 15 years of proven firewall and network security engineering and leadership, with more than 1 million security appliances deployed throughout the world.

Product Details

Vendor URL: Cisco Adaptive Security Appliance (ASA) Software

Product Type: Hardware

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Cisco ASA - Cyderes Documentation

Log Guide: www.cisco.com

Parser Details

Log Format: SYSLOG

Expected Normalization Rate: 75%

Data Label: CISCO_ASA_FIREWALL

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Statically Defined metadata.vendor_name
summary, description, message2 metadata.description
Statically Defined metadata.event_type
Statically Defined extensions.auth.type
Statically Defined metadata.vendor_name
Statically Defined extensions.auth.mechanism
userid target.user.user_display_name
sent_bytes network.sent_bytes
received_bytes network.
ext_ip principal.ip
src, remoteip, dst target.ip
localip src.ip
userid principal.user.userid
groupid principal.user.groupid
direction network.direction
dst target.hostname
dst_port target.port
src principal.hostname
src principal.ip
src_port principal.port
proto network.ip_protocol
aproto network.application_protocol
asa_message security_result.category_details
access_group security_result.rule_name
cisco_facility metadata.product_name
cisco_facility-cisco_severity-asa_message metadata.product_event_type
observer observer.hostname
observer observer.ip
observer_ip observer.ip
intermediary_data intermediary.ip
intermediary_data intermediary.hostname

Product Event Types

Some products we only support certain event types. Here are the supported ASA Event IDs.

Cisco Event Event Description UDM Event Classification
ASA-2-106001 An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. NETWORK_CONNECTION
ASA-2-106006 An inbound UDP packet was denied by the security policy that is defined for the specified traffic type. NETWORK_CONNECTION
ASA-3-106010 An inbound connection was denied by your security policy. NETWORK_CONNECTION
ASA-6-106012 "An IP packet was seen with IP options. Because IP options are considered a security risk the packet was discarded."
ASA-3-106014 "The ASA denied any inbound ICMP packet access. By default all ICMP packets are denied access unless specifically allowed."
ASA-6-106015 The ASA discarded a TCP packet that has no associated connection in the ASA connection table. NETWORK_CONNECTION
ASA-2-106016 A packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface. NETWORK_CONNECTION
ASA-6-106017 "The ASA received a packet with the IP source address equal to the IP destination and the destination port equal to the source port."
ASA-2-106020 The ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the ASA or an Intrusion Detection System. NETWORK_CONNECTION
ASA-1-106021 An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. NETWORK_CONNECTION
ASA-4-106023 A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. NETWORK_CONNECTION
ASA-6-106100 The initial occurrence or the total number of occurrences during an interval are listed. NETWORK_CONNECTION
ASA-1-106101 "If you configured the log option for an ACL deny statement (access-list id deny command) and a traffic flow matches the ACL statement
ASA-4-106103 A packet was denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message106023. NETWORK_CONNECTION
ASA-6-110002 An error occurred when the ASA tried to find the interface through which to send the packet NETWORK_CONNECTION
ASA-6-110003 An error occurred when the ASA tried to find the next hop on an interface routing table. NETWORK_CONNECTION
ASA-5-111008 "The user entered any command with the exception of a show command."
ASA-5-111010 A user made a configuration change. NETWORK_CONNECTION
ASA-6-113004 "The AAA operation on an IPsec or WebVPN connection has been completed successfully. The AAA types are authentication authorization
ASA-6-113005 The AAA authentication on a connection has failed. NETWORK_CONNECTION
ASA-6-113008 The AAA transaction for a user associated with an IPsec or WebVPN connection was completed successfully. USER_UNCATEGORIZED
ASA-6-113009 The authentication or authorization of an IPsec or WebVPN connection has occurred. USER_LOGIN
ASA-6-113012 The user associated with a IPsec or WebVPN connection has been successfully authenticated to the local user database. USER_LOGIN
ASA-4-113019 An indication of when and why the longest idle user is disconnected. USER_LOGOUT
ASA-2-113022 "The ASA has tried an authentication authorization
ASA-2-113023 The ASA has reactivated the AAA server that was previously marked as failed. The AAA server is now available to service AAA requests. NETWORK_CONNECTION
ASA-6-113039 The AnyConnect session has started for the user in this group at the specified IP address. USER_LOGIN
ASA-3-210007 Stateful Failover failed to allocate a translation slot record. NETWORK_CONNECTION
ASA-6-302013 A TCP connection slot between two hosts was created. NETWORK_CONNECTION
ASA-6-302014 A TCP connection between two hosts was deleted. NETWORK_CONNECTION
ASA-6-302015 A UDP connection slot between two hosts was created. NETWORK_CONNECTION
ASA-6-302016 A UDP connection slot between two hosts was deleted. NETWORK_CONNECTION
ASA-6-302020 An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command. NETWORK_CONNECTION
ASA-6-302021 An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command. NETWORK_CONNECTION
ASA-6-302022 A TCP director/backup/forwarder flow has been created. NETWORK_CONNECTION
ASA-6-302023 A TCP director/backup/forwarder flow has been torn down. NETWORK_CONNECTION
ASA-6-302024 A UDP director/backup/forwarder flow has been created. NETWORK_CONNECTION
ASA-6-302025 A UDP director/backup/forwarder flow has been torn down. NETWORK_CONNECTION
ASA-6-303002 A client has uploaded or downloaded a file from the FTP server. NETWORK_CONNECTION
ASA-5-304001 The specified host tried to access the specified URL. NETWORK_CONNECTION
ASA-5-304002 Access from the source address to the specified URL or FTP site was denied. NETWORK_CONNECTION
ASA-3-304006 "The Websense server is unavailable for access and the ASA attempts to either try to access the same server if it is the only server installed
ASA-3-305006 "A protocol (UDP TCP
ASA-6-305011 "A TCP UDP
ASA-6-305012 The address translation slot was deleted. NETWORK_CONNECTION
ASA-3-313001 "When using the icmp command with an access list if the first matched entry is a permit entry
ASA-3-313004 ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature. NETWORK_CONNECTION
ASA-4-313005 ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA. NETWORK_CONNECTION
ASA-3-313008 "When using the icmp command with an access list if the first matched entry is a permit entry
ASA-4-313009 An ICMP echo request/reply packet was received with a malformed code(non-zero). NETWORK_CONNECTION
ASA-6-315011 An SSH session has ended. NETWORK_CONNECTION
ASA-4-400000 IP options-Bad Option List NETWORK_CONNECTION
ASA-6-400001 IP options-Record Packet Route NETWORK_CONNECTION
ASA-6-400002 IP options-Timestamp NETWORK_CONNECTION
ASA-6-400003 IP options-Security NETWORK_CONNECTION
ASA-6-400004 IP options-Loose Source Route NETWORK_CONNECTION
ASA-6-400005 IP options-SATNET ID NETWORK_CONNECTION
ASA-6-400006 IP options-Strict Source Route NETWORK_CONNECTION
ASA-6-400007 IP Fragment Attack NETWORK_CONNECTION
ASA-6-400008 IP Impossible Packet NETWORK_CONNECTION
ASA-6-400009 IP Fragments Overlap NETWORK_CONNECTION
ASA-6-400010 ICMP Echo Reply NETWORK_CONNECTION
ASA-6-400011 ICMP Host Unreachable NETWORK_CONNECTION
ASA-6-400012 ICMP Source Quench NETWORK_CONNECTION
ASA-6-400013 ICMP Redirect NETWORK_CONNECTION
ASA-6-400014 ICMP Echo Request NETWORK_CONNECTION
ASA-6-400015 ICMP Time Exceeded for a Datagram NETWORK_CONNECTION
ASA-6-400016 ICMP Parameter Problem on Datagram NETWORK_CONNECTION
ASA-6-400017 ICMP Timestamp Request NETWORK_CONNECTION
ASA-6-400018 ICMP Timestamp Reply NETWORK_CONNECTION
ASA-6-400019 ICMP Information Request NETWORK_CONNECTION
ASA-6-400020 ICMP Information Reply NETWORK_CONNECTION
ASA-6-400021 ICMP Address Mask Request NETWORK_CONNECTION
ASA-6-400022 ICMP Address Mask Reply NETWORK_CONNECTION
ASA-6-400023 Fragmented ICMP Traffic NETWORK_CONNECTION
ASA-6-400024 Large ICMP Traffic NETWORK_CONNECTION
ASA-6-400025 Ping of Death Attack NETWORK_CONNECTION
ASA-6-400026 TCP NULL flags NETWORK_CONNECTION
ASA-6-400027 TCP SYN+FIN flags NETWORK_CONNECTION
ASA-6-400028 TCP FIN only flags NETWORK_CONNECTION
ASA-6-400029 FTP Improper Address Specified NETWORK_CONNECTION
ASA-6-400030 FTP Improper Port Specified NETWORK_CONNECTION
ASA-6-400031 UDP Bomb attack NETWORK_CONNECTION
ASA-6-400032 UDP Snork attack NETWORK_CONNECTION
ASA-6-400033 UDP Chargen DoS attack NETWORK_CONNECTION
ASA-6-400034 DNS HINFO Request NETWORK_CONNECTION
ASA-6-400035 DNS Zone Transfer NETWORK_CONNECTION
ASA-6-400036 DNS Zone Transfer from High Port NETWORK_CONNECTION
ASA-6-400037 DNS Request for All Records NETWORK_CONNECTION
ASA-6-400038 RPC Port Registration NETWORK_CONNECTION
ASA-6-400039 RPC Port Unregistration NETWORK_CONNECTION
ASA-6-400040 RPC Dump NETWORK_CONNECTION
ASA-6-400041 Proxied RPC Request NETWORK_CONNECTION
ASA-6-400042 ypserv (YP server daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400043 ypbind (YP bind daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400044 yppasswdd (YP password daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400045 ypupdated (YP update daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400046 ypxfrd (YP transfer daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400047 mountd (mount daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400048 rexd (remote execution daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400049 rexd (remote execution daemon) Attempt NETWORK_CONNECTION
ASA-6-400050 statd Buffer Overflow NETWORK_CONNECTION
ASA-6-400051 Cisco Intrusion Prevention Service signature messages NETWORK_CONNECTION
ASA-4-401004 A packet was dropped because the host defined by IP SRC is a host in the shun database. NETWORK_CONNECTION
ASA-4-402119 An IPsec packet was received with an invalid sequence number. NETWORK_CONNECTION
ASA-4-410001 The clear shun command was entered to remove existing shuns from memory. NETWORK_CONNECTION
ASA-3-414001 The logging module failed to save the logging buffer to an external FTP server. NETWORK_CONNECTION
ASA-4-419002 A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. NETWORK_CONNECTION
ASA-6-434002 A packet has been denied by the module. NETWORK_CONNECTION
ASA-6-434004 SourceFire (SFR) has determined not to inspect more traffic of a flow and requests the ASA to stop redirecting the flow of traffic to SFR. NETWORK_CONNECTION
ASA-6-602101 heASAsent an ICMP destination unreachable message and fragmentation is needed. NETWORK_CONNECTION
ASA-6-602303 A new SA was created. NETWORK_CONNECTION
ASA-6-605004 An incorrect login attempt or a failed login to theASAoccurred. USER_LOGIN
ASA-6-605005 "A user was authenticated successfully and a management session started."
ASA-6-607001 The fixup sip command preallocated a SIP connection after inspecting a SIP message . NETWORK_CONNECTION
ASA-6-608001 The inspect skinny command preallocated a Skinny connection after inspecting a Skinny message . NETWORK_CONNECTION
ASA-7-609001 A network state container was reserved for host ip-address connected to zone zone-name . GENERIC_EVENT
ASA-7-609002 A network state container for host ip-address connected to zone zone-name was removed. NETWORK_CONNECTION
ASA06-611101 User authentication succeeded when accessing theASA. USER_LOGIN
ASA-6-611102 User authentication failed when attempting to access theASA. USER_LOGIN
ASA-5-611103 The specified user logged out. USER_LOGOUT
ASA-3-710003 he ASA denied an attempt to connect to the interface service. NETWORK_CONNECTION
ASA-5-713041 ASA is negotiating a tunnel as the initiator. NETWORK_CONNECTION
ASA-5-713049 An IPsec tunnel has been started NETWORK_CONNECTION
ASA-3-713061 The ASA was not able to find security policy information for the private networks or hosts indicated in the message. NETWORK_CONNECTION
ASA-6-713172 NAT-Traversal auto-detected NAT. NETWORK_CONNECTION
ASA-5-713201 "The ASA has received a duplicate of a previous Phase 1 or Phase 2 packet and will transmit the last message."
ASA-5-713202 The ASA has received a duplicate first packet for a tunnel that the ASA is already aware of and negotiating. NETWORK_CONNECTION
ASA-3-713902 "An error has occurred which may be the result of a configuration error either on the headend or remote access client."
ASA-4-713903 This syslog ID is used for IKE warning messages which can display multiple other syslogs. NETWORK_CONNECTION
ASA-5-713904 "Notification status information appears which is used to track events that have occurred."
ASA-6-713905 "Information status details appear which are used to track events that have occurred."
ASA-6-721016 A remote WebVPN user has logged in successfully and the login information has been installed on the standby unit. USER_LOGIN
ASA-6-722022 The TCP or UDP connection was established with or without compression. USER_LOGIN
ASA-6-722023 The SVC terminated either with or without compression. USER_LOGOUT
ASA-5-722033 The first SVC connection was established for the SVC session. USER_LOGIN
ASA-5-722034 A reconnection attempt has occurred. An SVC connection is replacing a previously closed connection. NETWORK_CONNECTION
ASA-6-722036 A large packet was sent to the client. The source of the packet may not be aware of the MTU of the client. GENERIC_EVENT
ASA-4-722037 An SVC connection was terminated for the given reason. NETWORK_CONNECTION
ASA-6-722051 The specified address has been assigned to the given user. NETWORK_UNCATEGORIZED
ASA-6-725001 "The SSL handshake has started with the remote device which can be a client or server."
ASA-6-725002 The SSL handshake has completed successfully with the remote device. NETWORK_CONNECTION
ASA-6-725003 The remote device is trying to resume a previous SSL session. NETWORK_CONNECTION
ASA-6-725006 The SSL handshake with the remote device has failed. NETWORK_CONNECTION
ASA-6-725007 The SSL session has terminated. NETWORK_CONNECTION
ASA-6-725016 "With server-name indication (SNI) the certificate used for a given connection may not be the certificate configured on the interface."
ASA-4-733100 The specified object in the message has exceeded the specified burst threshold rate or average threshold rate. GENERIC_EVENT
ASA-6-734001 The DAP records that were selected for the connection are listed. USER_LOGIN
ASA-6-737026 The client has assigned the given address from a local pool. NETWORK_CONNECTION
ASA-3-751002 The ASA was unable to find any type of authentication information in the tunnel group that it could use to authenticate itself to the peer. NETWORK_CONNECTION
PARSER-5-CFGLOG_LOGGEDCMD Command logging. GENERIC_EVENT
SMART_LIC-3-AUTH_RENEW_FAILED Smart license authentication failed. GENERIC_EVENT

Log Sample

<166>COM-ASA %ASA-6-605005: Login permitted from 10.10.10.10/60358 to vpn:10.10.9.1/ssh for user "johndoe"

Sample Parsing

metadata.event_timestamp = "2021-08-05T11:12:35.013051Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Cisco"
metadata.product_name = "ASA"
metadata.product_event_type = "ASA-6-605005"
metadata.ingested_timestamp = "2021-08-05T11:12:35.013051Z"
principal.user.userid = "johndoe"
principal.ip = "10.10.10.10"
principal.port = 60358
target.ip = "10.10.9.1"
observer.hostname = "COM-ASA"
security_result.category_details = "605005"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "Informational message only"
network.application_protocol = "SSH"

Parser Alerting

This product currently does not have any Parser-based Alerting