Skip to content

Cisco ASA



The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. It provides users with highly secure access to data and network resources - anytime, anywhere, using any device. Cisco ASA devices represent more than 15 years of proven firewall and network security engineering and leadership, with more than 1 million security appliances deployed throughout the world.

Product Details

Vendor URL: Cisco Adaptive Security Appliance (ASA) Software

Product Type: Hardware

Product Tier: Tier II

Integration Method: Syslog

Integration URL: Cisco ASA - Cyderes Documentation

Log Guide:

Parser Details

Log Format: SYSLOG

Expected Normalization Rate: 75%


UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Statically Defined metadata.vendor_name
summary, description, message2 metadata.description
Statically Defined metadata.event_type
Statically Defined extensions.auth.type
Statically Defined metadata.vendor_name
Statically Defined extensions.auth.mechanism
userid target.user.user_display_name
sent_bytes network.sent_bytes
received_bytes network.
ext_ip principal.ip
src, remoteip, dst target.ip
localip src.ip
userid principal.user.userid
groupid principal.user.groupid
direction network.direction
dst target.hostname
dst_port target.port
src principal.hostname
src principal.ip
src_port principal.port
proto network.ip_protocol
aproto network.application_protocol
asa_message security_result.category_details
access_group security_result.rule_name
cisco_facility metadata.product_name
cisco_facility-cisco_severity-asa_message metadata.product_event_type
observer observer.hostname
observer observer.ip
observer_ip observer.ip
intermediary_data intermediary.ip
intermediary_data intermediary.hostname

Product Event Types

Some products we only support certain event types. Here are the supported ASA Event IDs.

Cisco Event Event Description UDM Event Classification
ASA-2-106001 An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type. NETWORK_CONNECTION
ASA-2-106006 An inbound UDP packet was denied by the security policy that is defined for the specified traffic type. NETWORK_CONNECTION
ASA-3-106010 An inbound connection was denied by your security policy. NETWORK_CONNECTION
ASA-6-106012 "An IP packet was seen with IP options. Because IP options are considered a security risk the packet was discarded."
ASA-3-106014 "The ASA denied any inbound ICMP packet access. By default all ICMP packets are denied access unless specifically allowed."
ASA-6-106015 The ASA discarded a TCP packet that has no associated connection in the ASA connection table. NETWORK_CONNECTION
ASA-2-106016 A packet arrived at the ASA interface that has a destination IP address of and a destination MAC address of the ASA interface. NETWORK_CONNECTION
ASA-6-106017 "The ASA received a packet with the IP source address equal to the IP destination and the destination port equal to the source port."
ASA-2-106020 The ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the ASA or an Intrusion Detection System. NETWORK_CONNECTION
ASA-1-106021 An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. NETWORK_CONNECTION
ASA-4-106023 A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. NETWORK_CONNECTION
ASA-6-106100 The initial occurrence or the total number of occurrences during an interval are listed. NETWORK_CONNECTION
ASA-1-106101 "If you configured the log option for an ACL deny statement (access-list id deny command) and a traffic flow matches the ACL statement
ASA-4-106103 A packet was denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message106023. NETWORK_CONNECTION
ASA-6-110002 An error occurred when the ASA tried to find the interface through which to send the packet NETWORK_CONNECTION
ASA-6-110003 An error occurred when the ASA tried to find the next hop on an interface routing table. NETWORK_CONNECTION
ASA-5-111008 "The user entered any command with the exception of a show command."
ASA-5-111010 A user made a configuration change. NETWORK_CONNECTION
ASA-6-113004 "The AAA operation on an IPsec or WebVPN connection has been completed successfully. The AAA types are authentication authorization
ASA-6-113005 The AAA authentication on a connection has failed. NETWORK_CONNECTION
ASA-6-113008 The AAA transaction for a user associated with an IPsec or WebVPN connection was completed successfully. USER_UNCATEGORIZED
ASA-6-113009 The authentication or authorization of an IPsec or WebVPN connection has occurred. USER_LOGIN
ASA-6-113012 The user associated with a IPsec or WebVPN connection has been successfully authenticated to the local user database. USER_LOGIN
ASA-4-113019 An indication of when and why the longest idle user is disconnected. USER_LOGOUT
ASA-2-113022 "The ASA has tried an authentication authorization
ASA-2-113023 The ASA has reactivated the AAA server that was previously marked as failed. The AAA server is now available to service AAA requests. NETWORK_CONNECTION
ASA-6-113039 The AnyConnect session has started for the user in this group at the specified IP address. USER_LOGIN
ASA-3-210007 Stateful Failover failed to allocate a translation slot record. NETWORK_CONNECTION
ASA-6-302013 A TCP connection slot between two hosts was created. NETWORK_CONNECTION
ASA-6-302014 A TCP connection between two hosts was deleted. NETWORK_CONNECTION
ASA-6-302015 A UDP connection slot between two hosts was created. NETWORK_CONNECTION
ASA-6-302016 A UDP connection slot between two hosts was deleted. NETWORK_CONNECTION
ASA-6-302020 An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command. NETWORK_CONNECTION
ASA-6-302021 An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command. NETWORK_CONNECTION
ASA-6-302022 A TCP director/backup/forwarder flow has been created. NETWORK_CONNECTION
ASA-6-302023 A TCP director/backup/forwarder flow has been torn down. NETWORK_CONNECTION
ASA-6-302024 A UDP director/backup/forwarder flow has been created. NETWORK_CONNECTION
ASA-6-302025 A UDP director/backup/forwarder flow has been torn down. NETWORK_CONNECTION
ASA-6-303002 A client has uploaded or downloaded a file from the FTP server. NETWORK_CONNECTION
ASA-5-304001 The specified host tried to access the specified URL. NETWORK_CONNECTION
ASA-5-304002 Access from the source address to the specified URL or FTP site was denied. NETWORK_CONNECTION
ASA-3-304006 "The Websense server is unavailable for access and the ASA attempts to either try to access the same server if it is the only server installed
ASA-3-305006 "A protocol (UDP TCP
ASA-6-305011 "A TCP UDP
ASA-6-305012 The address translation slot was deleted. NETWORK_CONNECTION
ASA-3-313001 "When using the icmp command with an access list if the first matched entry is a permit entry
ASA-3-313004 ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature. NETWORK_CONNECTION
ASA-4-313005 ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA. NETWORK_CONNECTION
ASA-3-313008 "When using the icmp command with an access list if the first matched entry is a permit entry
ASA-4-313009 An ICMP echo request/reply packet was received with a malformed code(non-zero). NETWORK_CONNECTION
ASA-6-315011 An SSH session has ended. NETWORK_CONNECTION
ASA-4-400000 IP options-Bad Option List NETWORK_CONNECTION
ASA-6-400001 IP options-Record Packet Route NETWORK_CONNECTION
ASA-6-400002 IP options-Timestamp NETWORK_CONNECTION
ASA-6-400003 IP options-Security NETWORK_CONNECTION
ASA-6-400004 IP options-Loose Source Route NETWORK_CONNECTION
ASA-6-400006 IP options-Strict Source Route NETWORK_CONNECTION
ASA-6-400007 IP Fragment Attack NETWORK_CONNECTION
ASA-6-400008 IP Impossible Packet NETWORK_CONNECTION
ASA-6-400009 IP Fragments Overlap NETWORK_CONNECTION
ASA-6-400011 ICMP Host Unreachable NETWORK_CONNECTION
ASA-6-400015 ICMP Time Exceeded for a Datagram NETWORK_CONNECTION
ASA-6-400016 ICMP Parameter Problem on Datagram NETWORK_CONNECTION
ASA-6-400017 ICMP Timestamp Request NETWORK_CONNECTION
ASA-6-400018 ICMP Timestamp Reply NETWORK_CONNECTION
ASA-6-400019 ICMP Information Request NETWORK_CONNECTION
ASA-6-400020 ICMP Information Reply NETWORK_CONNECTION
ASA-6-400021 ICMP Address Mask Request NETWORK_CONNECTION
ASA-6-400022 ICMP Address Mask Reply NETWORK_CONNECTION
ASA-6-400023 Fragmented ICMP Traffic NETWORK_CONNECTION
ASA-6-400025 Ping of Death Attack NETWORK_CONNECTION
ASA-6-400029 FTP Improper Address Specified NETWORK_CONNECTION
ASA-6-400030 FTP Improper Port Specified NETWORK_CONNECTION
ASA-6-400032 UDP Snork attack NETWORK_CONNECTION
ASA-6-400033 UDP Chargen DoS attack NETWORK_CONNECTION
ASA-6-400036 DNS Zone Transfer from High Port NETWORK_CONNECTION
ASA-6-400037 DNS Request for All Records NETWORK_CONNECTION
ASA-6-400038 RPC Port Registration NETWORK_CONNECTION
ASA-6-400039 RPC Port Unregistration NETWORK_CONNECTION
ASA-6-400041 Proxied RPC Request NETWORK_CONNECTION
ASA-6-400042 ypserv (YP server daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400043 ypbind (YP bind daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400044 yppasswdd (YP password daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400045 ypupdated (YP update daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400046 ypxfrd (YP transfer daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400047 mountd (mount daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400048 rexd (remote execution daemon) Portmap Request NETWORK_CONNECTION
ASA-6-400049 rexd (remote execution daemon) Attempt NETWORK_CONNECTION
ASA-6-400050 statd Buffer Overflow NETWORK_CONNECTION
ASA-6-400051 Cisco Intrusion Prevention Service signature messages NETWORK_CONNECTION
ASA-4-401004 A packet was dropped because the host defined by IP SRC is a host in the shun database. NETWORK_CONNECTION
ASA-4-402119 An IPsec packet was received with an invalid sequence number. NETWORK_CONNECTION
ASA-4-410001 The clear shun command was entered to remove existing shuns from memory. NETWORK_CONNECTION
ASA-3-414001 The logging module failed to save the logging buffer to an external FTP server. NETWORK_CONNECTION
ASA-4-419002 A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection. NETWORK_CONNECTION
ASA-6-434002 A packet has been denied by the module. NETWORK_CONNECTION
ASA-6-434004 SourceFire (SFR) has determined not to inspect more traffic of a flow and requests the ASA to stop redirecting the flow of traffic to SFR. NETWORK_CONNECTION
ASA-6-602101 heASAsent an ICMP destination unreachable message and fragmentation is needed. NETWORK_CONNECTION
ASA-6-602303 A new SA was created. NETWORK_CONNECTION
ASA-6-605004 An incorrect login attempt or a failed login to theASAoccurred. USER_LOGIN
ASA-6-605005 "A user was authenticated successfully and a management session started."
ASA-6-607001 The fixup sip command preallocated a SIP connection after inspecting a SIP message . NETWORK_CONNECTION
ASA-6-608001 The inspect skinny command preallocated a Skinny connection after inspecting a Skinny message . NETWORK_CONNECTION
ASA-7-609001 A network state container was reserved for host ip-address connected to zone zone-name . GENERIC_EVENT
ASA-7-609002 A network state container for host ip-address connected to zone zone-name was removed. NETWORK_CONNECTION
ASA06-611101 User authentication succeeded when accessing theASA. USER_LOGIN
ASA-6-611102 User authentication failed when attempting to access theASA. USER_LOGIN
ASA-5-611103 The specified user logged out. USER_LOGOUT
ASA-3-710003 he ASA denied an attempt to connect to the interface service. NETWORK_CONNECTION
ASA-5-713041 ASA is negotiating a tunnel as the initiator. NETWORK_CONNECTION
ASA-5-713049 An IPsec tunnel has been started NETWORK_CONNECTION
ASA-3-713061 The ASA was not able to find security policy information for the private networks or hosts indicated in the message. NETWORK_CONNECTION
ASA-6-713172 NAT-Traversal auto-detected NAT. NETWORK_CONNECTION
ASA-5-713201 "The ASA has received a duplicate of a previous Phase 1 or Phase 2 packet and will transmit the last message."
ASA-5-713202 The ASA has received a duplicate first packet for a tunnel that the ASA is already aware of and negotiating. NETWORK_CONNECTION
ASA-3-713902 "An error has occurred which may be the result of a configuration error either on the headend or remote access client."
ASA-4-713903 This syslog ID is used for IKE warning messages which can display multiple other syslogs. NETWORK_CONNECTION
ASA-5-713904 "Notification status information appears which is used to track events that have occurred."
ASA-6-713905 "Information status details appear which are used to track events that have occurred."
ASA-6-721016 A remote WebVPN user has logged in successfully and the login information has been installed on the standby unit. USER_LOGIN
ASA-6-722022 The TCP or UDP connection was established with or without compression. USER_LOGIN
ASA-6-722023 The SVC terminated either with or without compression. USER_LOGOUT
ASA-5-722033 The first SVC connection was established for the SVC session. USER_LOGIN
ASA-5-722034 A reconnection attempt has occurred. An SVC connection is replacing a previously closed connection. NETWORK_CONNECTION
ASA-6-722036 A large packet was sent to the client. The source of the packet may not be aware of the MTU of the client. GENERIC_EVENT
ASA-4-722037 An SVC connection was terminated for the given reason. NETWORK_CONNECTION
ASA-6-722051 The specified address has been assigned to the given user. NETWORK_UNCATEGORIZED
ASA-6-725001 "The SSL handshake has started with the remote device which can be a client or server."
ASA-6-725002 The SSL handshake has completed successfully with the remote device. NETWORK_CONNECTION
ASA-6-725003 The remote device is trying to resume a previous SSL session. NETWORK_CONNECTION
ASA-6-725006 The SSL handshake with the remote device has failed. NETWORK_CONNECTION
ASA-6-725007 The SSL session has terminated. NETWORK_CONNECTION
ASA-6-725016 "With server-name indication (SNI) the certificate used for a given connection may not be the certificate configured on the interface."
ASA-4-733100 The specified object in the message has exceeded the specified burst threshold rate or average threshold rate. GENERIC_EVENT
ASA-6-734001 The DAP records that were selected for the connection are listed. USER_LOGIN
ASA-6-737026 The client has assigned the given address from a local pool. NETWORK_CONNECTION
ASA-3-751002 The ASA was unable to find any type of authentication information in the tunnel group that it could use to authenticate itself to the peer. NETWORK_CONNECTION
SMART_LIC-3-AUTH_RENEW_FAILED Smart license authentication failed. GENERIC_EVENT

Log Sample

<166>COM-ASA %ASA-6-605005: Login permitted from to vpn: for user "johndoe"

Sample Parsing

metadata.event_timestamp = "2021-08-05T11:12:35.013051Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Cisco"
metadata.product_name = "ASA"
metadata.product_event_type = "ASA-6-605005"
metadata.ingested_timestamp = "2021-08-05T11:12:35.013051Z"
principal.user.userid = "johndoe"
principal.ip = ""
principal.port = 60358
target.ip = ""
observer.hostname = "COM-ASA"
security_result.category_details = "605005"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "Informational message only"
network.application_protocol = "SSH"

Parser Alerting

This product currently does not have any Parser-based Alerting


Coming Soon