Cisco ASA¶
About¶
The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. It provides users with highly secure access to data and network resources - anytime, anywhere, using any device. Cisco ASA devices represent more than 15 years of proven firewall and network security engineering and leadership, with more than 1 million security appliances deployed throughout the world.
Product Details¶
Vendor URL: Cisco Adaptive Security Appliance (ASA) Software
Product Type: Hardware
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Cisco ASA - Cyderes Documentation
Log Guide: www.cisco.com
Parser Details¶
Log Format: SYSLOG
Expected Normalization Rate: 75%
Data Label: CISCO_ASA_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Statically Defined | metadata.vendor_name |
| summary, description, message2 | metadata.description |
| Statically Defined | metadata.event_type |
| Statically Defined | extensions.auth.type |
| Statically Defined | metadata.vendor_name |
| Statically Defined | extensions.auth.mechanism |
| userid | target.user.user_display_name |
| sent_bytes | network.sent_bytes |
| received_bytes | network. |
| ext_ip | principal.ip |
| src, remoteip, dst | target.ip |
| localip | src.ip |
| userid | principal.user.userid |
| groupid | principal.user.groupid |
| direction | network.direction |
| dst | target.hostname |
| dst_port | target.port |
| src | principal.hostname |
| src | principal.ip |
| src_port | principal.port |
| proto | network.ip_protocol |
| aproto | network.application_protocol |
| asa_message | security_result.category_details |
| access_group | security_result.rule_name |
| cisco_facility | metadata.product_name |
| cisco_facility-cisco_severity-asa_message | metadata.product_event_type |
| observer | observer.hostname |
| observer | observer.ip |
| observer_ip | observer.ip |
| intermediary_data | intermediary.ip |
| intermediary_data | intermediary.hostname |
Product Event Types¶
Some products we only support certain event types. Here are the supported ASA Event IDs.
| Cisco Event | Event Description | UDM Event Classification |
|---|---|---|
| ASA-2-106001 | An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. | NETWORK_CONNECTION |
| ASA-2-106006 | An inbound UDP packet was denied by the security policy that is defined for the specified traffic type. | NETWORK_CONNECTION |
| ASA-3-106010 | An inbound connection was denied by your security policy. | NETWORK_CONNECTION |
| ASA-6-106012 | "An IP packet was seen with IP options. Because IP options are considered a security risk | the packet was discarded." |
| ASA-3-106014 | "The ASA denied any inbound ICMP packet access. By default | all ICMP packets are denied access unless specifically allowed." |
| ASA-6-106015 | The ASA discarded a TCP packet that has no associated connection in the ASA connection table. | NETWORK_CONNECTION |
| ASA-2-106016 | A packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface. | NETWORK_CONNECTION |
| ASA-6-106017 | "The ASA received a packet with the IP source address equal to the IP destination | and the destination port equal to the source port." |
| ASA-2-106020 | The ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the ASA or an Intrusion Detection System. | NETWORK_CONNECTION |
| ASA-1-106021 | An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. | NETWORK_CONNECTION |
| ASA-4-106023 | A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. | NETWORK_CONNECTION |
| ASA-6-106100 | The initial occurrence or the total number of occurrences during an interval are listed. | NETWORK_CONNECTION |
| ASA-1-106101 | "If you configured the log option for an ACL deny statement (access-list id deny command) | and a traffic flow matches the ACL statement |
| ASA-4-106103 | A packet was denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message106023. | NETWORK_CONNECTION |
| ASA-6-110002 | An error occurred when the ASA tried to find the interface through which to send the packet | NETWORK_CONNECTION |
| ASA-6-110003 | An error occurred when the ASA tried to find the next hop on an interface routing table. | NETWORK_CONNECTION |
| ASA-5-111008 | "The user entered any command | with the exception of a show command." |
| ASA-5-111010 | A user made a configuration change. | NETWORK_CONNECTION |
| ASA-6-113004 | "The AAA operation on an IPsec or WebVPN connection has been completed successfully. The AAA types are authentication | authorization |
| ASA-6-113005 | The AAA authentication on a connection has failed. | NETWORK_CONNECTION |
| ASA-6-113008 | The AAA transaction for a user associated with an IPsec or WebVPN connection was completed successfully. | USER_UNCATEGORIZED |
| ASA-6-113009 | The authentication or authorization of an IPsec or WebVPN connection has occurred. | USER_LOGIN |
| ASA-6-113012 | The user associated with a IPsec or WebVPN connection has been successfully authenticated to the local user database. | USER_LOGIN |
| ASA-4-113019 | An indication of when and why the longest idle user is disconnected. | USER_LOGOUT |
| ASA-2-113022 | "The ASA has tried an authentication | authorization |
| ASA-2-113023 | The ASA has reactivated the AAA server that was previously marked as failed. The AAA server is now available to service AAA requests. | NETWORK_CONNECTION |
| ASA-6-113039 | The AnyConnect session has started for the user in this group at the specified IP address. | USER_LOGIN |
| ASA-3-210007 | Stateful Failover failed to allocate a translation slot record. | NETWORK_CONNECTION |
| ASA-6-302013 | A TCP connection slot between two hosts was created. | NETWORK_CONNECTION |
| ASA-6-302014 | A TCP connection between two hosts was deleted. | NETWORK_CONNECTION |
| ASA-6-302015 | A UDP connection slot between two hosts was created. | NETWORK_CONNECTION |
| ASA-6-302016 | A UDP connection slot between two hosts was deleted. | NETWORK_CONNECTION |
| ASA-6-302020 | An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command. | NETWORK_CONNECTION |
| ASA-6-302021 | An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command. | NETWORK_CONNECTION |
| ASA-6-302022 | A TCP director/backup/forwarder flow has been created. | NETWORK_CONNECTION |
| ASA-6-302023 | A TCP director/backup/forwarder flow has been torn down. | NETWORK_CONNECTION |
| ASA-6-302024 | A UDP director/backup/forwarder flow has been created. | NETWORK_CONNECTION |
| ASA-6-302025 | A UDP director/backup/forwarder flow has been torn down. | NETWORK_CONNECTION |
| ASA-6-303002 | A client has uploaded or downloaded a file from the FTP server. | NETWORK_CONNECTION |
| ASA-5-304001 | The specified host tried to access the specified URL. | NETWORK_CONNECTION |
| ASA-5-304002 | Access from the source address to the specified URL or FTP site was denied. | NETWORK_CONNECTION |
| ASA-3-304006 | "The Websense server is unavailable for access | and the ASA attempts to either try to access the same server if it is the only server installed |
| ASA-3-305006 | "A protocol (UDP | TCP |
| ASA-6-305011 | "A TCP | UDP |
| ASA-6-305012 | The address translation slot was deleted. | NETWORK_CONNECTION |
| ASA-3-313001 | "When using the icmp command with an access list | if the first matched entry is a permit entry |
| ASA-3-313004 | ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature. | NETWORK_CONNECTION |
| ASA-4-313005 | ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA. | NETWORK_CONNECTION |
| ASA-3-313008 | "When using the icmp command with an access list | if the first matched entry is a permit entry |
| ASA-4-313009 | An ICMP echo request/reply packet was received with a malformed code(non-zero). | NETWORK_CONNECTION |
| ASA-6-315011 | An SSH session has ended. | NETWORK_CONNECTION |
| ASA-4-400000 | IP options-Bad Option List | NETWORK_CONNECTION |
| ASA-6-400001 | IP options-Record Packet Route | NETWORK_CONNECTION |
| ASA-6-400002 | IP options-Timestamp | NETWORK_CONNECTION |
| ASA-6-400003 | IP options-Security | NETWORK_CONNECTION |
| ASA-6-400004 | IP options-Loose Source Route | NETWORK_CONNECTION |
| ASA-6-400005 | IP options-SATNET ID | NETWORK_CONNECTION |
| ASA-6-400006 | IP options-Strict Source Route | NETWORK_CONNECTION |
| ASA-6-400007 | IP Fragment Attack | NETWORK_CONNECTION |
| ASA-6-400008 | IP Impossible Packet | NETWORK_CONNECTION |
| ASA-6-400009 | IP Fragments Overlap | NETWORK_CONNECTION |
| ASA-6-400010 | ICMP Echo Reply | NETWORK_CONNECTION |
| ASA-6-400011 | ICMP Host Unreachable | NETWORK_CONNECTION |
| ASA-6-400012 | ICMP Source Quench | NETWORK_CONNECTION |
| ASA-6-400013 | ICMP Redirect | NETWORK_CONNECTION |
| ASA-6-400014 | ICMP Echo Request | NETWORK_CONNECTION |
| ASA-6-400015 | ICMP Time Exceeded for a Datagram | NETWORK_CONNECTION |
| ASA-6-400016 | ICMP Parameter Problem on Datagram | NETWORK_CONNECTION |
| ASA-6-400017 | ICMP Timestamp Request | NETWORK_CONNECTION |
| ASA-6-400018 | ICMP Timestamp Reply | NETWORK_CONNECTION |
| ASA-6-400019 | ICMP Information Request | NETWORK_CONNECTION |
| ASA-6-400020 | ICMP Information Reply | NETWORK_CONNECTION |
| ASA-6-400021 | ICMP Address Mask Request | NETWORK_CONNECTION |
| ASA-6-400022 | ICMP Address Mask Reply | NETWORK_CONNECTION |
| ASA-6-400023 | Fragmented ICMP Traffic | NETWORK_CONNECTION |
| ASA-6-400024 | Large ICMP Traffic | NETWORK_CONNECTION |
| ASA-6-400025 | Ping of Death Attack | NETWORK_CONNECTION |
| ASA-6-400026 | TCP NULL flags | NETWORK_CONNECTION |
| ASA-6-400027 | TCP SYN+FIN flags | NETWORK_CONNECTION |
| ASA-6-400028 | TCP FIN only flags | NETWORK_CONNECTION |
| ASA-6-400029 | FTP Improper Address Specified | NETWORK_CONNECTION |
| ASA-6-400030 | FTP Improper Port Specified | NETWORK_CONNECTION |
| ASA-6-400031 | UDP Bomb attack | NETWORK_CONNECTION |
| ASA-6-400032 | UDP Snork attack | NETWORK_CONNECTION |
| ASA-6-400033 | UDP Chargen DoS attack | NETWORK_CONNECTION |
| ASA-6-400034 | DNS HINFO Request | NETWORK_CONNECTION |
| ASA-6-400035 | DNS Zone Transfer | NETWORK_CONNECTION |
| ASA-6-400036 | DNS Zone Transfer from High Port | NETWORK_CONNECTION |
| ASA-6-400037 | DNS Request for All Records | NETWORK_CONNECTION |
| ASA-6-400038 | RPC Port Registration | NETWORK_CONNECTION |
| ASA-6-400039 | RPC Port Unregistration | NETWORK_CONNECTION |
| ASA-6-400040 | RPC Dump | NETWORK_CONNECTION |
| ASA-6-400041 | Proxied RPC Request | NETWORK_CONNECTION |
| ASA-6-400042 | ypserv (YP server daemon) Portmap Request | NETWORK_CONNECTION |
| ASA-6-400043 | ypbind (YP bind daemon) Portmap Request | NETWORK_CONNECTION |
| ASA-6-400044 | yppasswdd (YP password daemon) Portmap Request | NETWORK_CONNECTION |
| ASA-6-400045 | ypupdated (YP update daemon) Portmap Request | NETWORK_CONNECTION |
| ASA-6-400046 | ypxfrd (YP transfer daemon) Portmap Request | NETWORK_CONNECTION |
| ASA-6-400047 | mountd (mount daemon) Portmap Request | NETWORK_CONNECTION |
| ASA-6-400048 | rexd (remote execution daemon) Portmap Request | NETWORK_CONNECTION |
| ASA-6-400049 | rexd (remote execution daemon) Attempt | NETWORK_CONNECTION |
| ASA-6-400050 | statd Buffer Overflow | NETWORK_CONNECTION |
| ASA-6-400051 | Cisco Intrusion Prevention Service signature messages | NETWORK_CONNECTION |
| ASA-4-401004 | A packet was dropped because the host defined by IP SRC is a host in the shun database. | NETWORK_CONNECTION |
| ASA-4-402119 | An IPsec packet was received with an invalid sequence number. | NETWORK_CONNECTION |
| ASA-4-410001 | The clear shun command was entered to remove existing shuns from memory. | NETWORK_CONNECTION |
| ASA-3-414001 | The logging module failed to save the logging buffer to an external FTP server. | NETWORK_CONNECTION |
| ASA-4-419002 | A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. | NETWORK_CONNECTION |
| ASA-6-434002 | A packet has been denied by the module. | NETWORK_CONNECTION |
| ASA-6-434004 | SourceFire (SFR) has determined not to inspect more traffic of a flow and requests the ASA to stop redirecting the flow of traffic to SFR. | NETWORK_CONNECTION |
| ASA-6-602101 | heASAsent an ICMP destination unreachable message and fragmentation is needed. | NETWORK_CONNECTION |
| ASA-6-602303 | A new SA was created. | NETWORK_CONNECTION |
| ASA-6-605004 | An incorrect login attempt or a failed login to theASAoccurred. | USER_LOGIN |
| ASA-6-605005 | "A user was authenticated successfully | and a management session started." |
| ASA-6-607001 | The fixup sip command preallocated a SIP connection after inspecting a SIP message . | NETWORK_CONNECTION |
| ASA-6-608001 | The inspect skinny command preallocated a Skinny connection after inspecting a Skinny message . | NETWORK_CONNECTION |
| ASA-7-609001 | A network state container was reserved for host ip-address connected to zone zone-name . | GENERIC_EVENT |
| ASA-7-609002 | A network state container for host ip-address connected to zone zone-name was removed. | NETWORK_CONNECTION |
| ASA06-611101 | User authentication succeeded when accessing theASA. | USER_LOGIN |
| ASA-6-611102 | User authentication failed when attempting to access theASA. | USER_LOGIN |
| ASA-5-611103 | The specified user logged out. | USER_LOGOUT |
| ASA-3-710003 | he ASA denied an attempt to connect to the interface service. | NETWORK_CONNECTION |
| ASA-5-713041 | ASA is negotiating a tunnel as the initiator. | NETWORK_CONNECTION |
| ASA-5-713049 | An IPsec tunnel has been started | NETWORK_CONNECTION |
| ASA-3-713061 | The ASA was not able to find security policy information for the private networks or hosts indicated in the message. | NETWORK_CONNECTION |
| ASA-6-713172 | NAT-Traversal auto-detected NAT. | NETWORK_CONNECTION |
| ASA-5-713201 | "The ASA has received a duplicate of a previous Phase 1 or Phase 2 packet | and will transmit the last message." |
| ASA-5-713202 | The ASA has received a duplicate first packet for a tunnel that the ASA is already aware of and negotiating. | NETWORK_CONNECTION |
| ASA-3-713902 | "An error has occurred | which may be the result of a configuration error either on the headend or remote access client." |
| ASA-4-713903 | This syslog ID is used for IKE warning messages which can display multiple other syslogs. | NETWORK_CONNECTION |
| ASA-5-713904 | "Notification status information appears | which is used to track events that have occurred." |
| ASA-6-713905 | "Information status details appear | which are used to track events that have occurred." |
| ASA-6-721016 | A remote WebVPN user has logged in successfully and the login information has been installed on the standby unit. | USER_LOGIN |
| ASA-6-722022 | The TCP or UDP connection was established with or without compression. | USER_LOGIN |
| ASA-6-722023 | The SVC terminated either with or without compression. | USER_LOGOUT |
| ASA-5-722033 | The first SVC connection was established for the SVC session. | USER_LOGIN |
| ASA-5-722034 | A reconnection attempt has occurred. An SVC connection is replacing a previously closed connection. | NETWORK_CONNECTION |
| ASA-6-722036 | A large packet was sent to the client. The source of the packet may not be aware of the MTU of the client. | GENERIC_EVENT |
| ASA-4-722037 | An SVC connection was terminated for the given reason. | NETWORK_CONNECTION |
| ASA-6-722051 | The specified address has been assigned to the given user. | NETWORK_UNCATEGORIZED |
| ASA-6-725001 | "The SSL handshake has started with the remote device | which can be a client or server." |
| ASA-6-725002 | The SSL handshake has completed successfully with the remote device. | NETWORK_CONNECTION |
| ASA-6-725003 | The remote device is trying to resume a previous SSL session. | NETWORK_CONNECTION |
| ASA-6-725006 | The SSL handshake with the remote device has failed. | NETWORK_CONNECTION |
| ASA-6-725007 | The SSL session has terminated. | NETWORK_CONNECTION |
| ASA-6-725016 | "With server-name indication (SNI) | the certificate used for a given connection may not be the certificate configured on the interface." |
| ASA-4-733100 | The specified object in the message has exceeded the specified burst threshold rate or average threshold rate. | GENERIC_EVENT |
| ASA-6-734001 | The DAP records that were selected for the connection are listed. | USER_LOGIN |
| ASA-6-737026 | The client has assigned the given address from a local pool. | NETWORK_CONNECTION |
| ASA-3-751002 | The ASA was unable to find any type of authentication information in the tunnel group that it could use to authenticate itself to the peer. | NETWORK_CONNECTION |
| PARSER-5-CFGLOG_LOGGEDCMD | Command logging. | GENERIC_EVENT |
| SMART_LIC-3-AUTH_RENEW_FAILED | Smart license authentication failed. | GENERIC_EVENT |
Log Sample¶
<166>COM-ASA %ASA-6-605005: Login permitted from 10.10.10.10/60358 to vpn:10.10.9.1/ssh for user "johndoe"
Sample Parsing¶
metadata.event_timestamp = "2021-08-05T11:12:35.013051Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Cisco"
metadata.product_name = "ASA"
metadata.product_event_type = "ASA-6-605005"
metadata.ingested_timestamp = "2021-08-05T11:12:35.013051Z"
principal.user.userid = "johndoe"
principal.ip = "10.10.10.10"
principal.port = 60358
target.ip = "10.10.9.1"
observer.hostname = "COM-ASA"
security_result.category_details = "605005"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "Informational message only"
network.application_protocol = "SSH"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon