The Cisco ASA Family of security devices protects corporate networks and data centers of all sizes. It provides users with highly secure access to data and network resources - anytime, anywhere, using any device. Cisco ASA devices represent more than 15 years of proven firewall and network security engineering and leadership, with more than 1 million security appliances deployed throughout the world.
Vendor URL: Cisco Adaptive Security Appliance (ASA) Software
Product Type: Hardware
Product Tier: Tier II
Integration Method: Syslog
Integration URL: Cisco ASA - Cyderes Documentation
Log Guide: www.cisco.com
Log Format: SYSLOG
Expected Normalization Rate: 75%
Data Label: CISCO_ASA_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
|Log File Field
|summary, description, message2
|src, remoteip, dst
Product Event Types¶
Some products we only support certain event types. Here are the supported ASA Event IDs.
|UDM Event Classification
|An attempt was made to connect to an inside address is denied by the security policy that is defined for the specified traffic type.
|An inbound UDP packet was denied by the security policy that is defined for the specified traffic type.
|An inbound connection was denied by your security policy.
|"An IP packet was seen with IP options. Because IP options are considered a security risk
|the packet was discarded."
|"The ASA denied any inbound ICMP packet access. By default
|all ICMP packets are denied access unless specifically allowed."
|The ASA discarded a TCP packet that has no associated connection in the ASA connection table.
|A packet arrived at the ASA interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the ASA interface.
|"The ASA received a packet with the IP source address equal to the IP destination
|and the destination port equal to the source port."
|The ASA discarded an IP packet with a teardrop signature containing either a small offset or fragment overlapping. This is a hostile event that circumvents the ASA or an Intrusion Detection System.
|An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection.
|A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL.
|The initial occurrence or the total number of occurrences during an interval are listed.
|"If you configured the log option for an ACL deny statement (access-list id deny command)
|and a traffic flow matches the ACL statement
|A packet was denied by an access-list that was applied through a VPN filter. This message is the VPN/AAA filter equivalent of message106023.
|An error occurred when the ASA tried to find the interface through which to send the packet
|An error occurred when the ASA tried to find the next hop on an interface routing table.
|"The user entered any command
|with the exception of a show command."
|A user made a configuration change.
|"The AAA operation on an IPsec or WebVPN connection has been completed successfully. The AAA types are authentication
|The AAA authentication on a connection has failed.
|The AAA transaction for a user associated with an IPsec or WebVPN connection was completed successfully.
|The authentication or authorization of an IPsec or WebVPN connection has occurred.
|The user associated with a IPsec or WebVPN connection has been successfully authenticated to the local user database.
|An indication of when and why the longest idle user is disconnected.
|"The ASA has tried an authentication
|The ASA has reactivated the AAA server that was previously marked as failed. The AAA server is now available to service AAA requests.
|The AnyConnect session has started for the user in this group at the specified IP address.
|Stateful Failover failed to allocate a translation slot record.
|A TCP connection slot between two hosts was created.
|A TCP connection between two hosts was deleted.
|A UDP connection slot between two hosts was created.
|A UDP connection slot between two hosts was deleted.
|An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command.
|An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command.
|A TCP director/backup/forwarder flow has been created.
|A TCP director/backup/forwarder flow has been torn down.
|A UDP director/backup/forwarder flow has been created.
|A UDP director/backup/forwarder flow has been torn down.
|A client has uploaded or downloaded a file from the FTP server.
|The specified host tried to access the specified URL.
|Access from the source address to the specified URL or FTP site was denied.
|"The Websense server is unavailable for access
|and the ASA attempts to either try to access the same server if it is the only server installed
|"A protocol (UDP
|The address translation slot was deleted.
|"When using the icmp command with an access list
|if the first matched entry is a permit entry
|ICMP packets were dropped by the ASA because of security checks added by the stateful ICMP feature.
|ICMP error packets were dropped by the ASA because the ICMP error messages are not related to any session already established in the ASA.
|"When using the icmp command with an access list
|if the first matched entry is a permit entry
|An ICMP echo request/reply packet was received with a malformed code(non-zero).
|An SSH session has ended.
|IP options-Bad Option List
|IP options-Record Packet Route
|IP options-Loose Source Route
|IP options-SATNET ID
|IP options-Strict Source Route
|IP Fragment Attack
|IP Impossible Packet
|IP Fragments Overlap
|ICMP Echo Reply
|ICMP Host Unreachable
|ICMP Source Quench
|ICMP Echo Request
|ICMP Time Exceeded for a Datagram
|ICMP Parameter Problem on Datagram
|ICMP Timestamp Request
|ICMP Timestamp Reply
|ICMP Information Request
|ICMP Information Reply
|ICMP Address Mask Request
|ICMP Address Mask Reply
|Fragmented ICMP Traffic
|Large ICMP Traffic
|Ping of Death Attack
|TCP NULL flags
|TCP SYN+FIN flags
|TCP FIN only flags
|FTP Improper Address Specified
|FTP Improper Port Specified
|UDP Bomb attack
|UDP Snork attack
|UDP Chargen DoS attack
|DNS HINFO Request
|DNS Zone Transfer
|DNS Zone Transfer from High Port
|DNS Request for All Records
|RPC Port Registration
|RPC Port Unregistration
|Proxied RPC Request
|ypserv (YP server daemon) Portmap Request
|ypbind (YP bind daemon) Portmap Request
|yppasswdd (YP password daemon) Portmap Request
|ypupdated (YP update daemon) Portmap Request
|ypxfrd (YP transfer daemon) Portmap Request
|mountd (mount daemon) Portmap Request
|rexd (remote execution daemon) Portmap Request
|rexd (remote execution daemon) Attempt
|statd Buffer Overflow
|Cisco Intrusion Prevention Service signature messages
|A packet was dropped because the host defined by IP SRC is a host in the shun database.
|An IPsec packet was received with an invalid sequence number.
|The clear shun command was entered to remove existing shuns from memory.
|The logging module failed to save the logging buffer to an external FTP server.
|A duplicate TCP SYN was received during the three-way-handshake that has a different initial sequence number from the SYN that opened the embryonic connection.
|A packet has been denied by the module.
|SourceFire (SFR) has determined not to inspect more traffic of a flow and requests the ASA to stop redirecting the flow of traffic to SFR.
|heASAsent an ICMP destination unreachable message and fragmentation is needed.
|A new SA was created.
|An incorrect login attempt or a failed login to theASAoccurred.
|"A user was authenticated successfully
|and a management session started."
|The fixup sip command preallocated a SIP connection after inspecting a SIP message .
|The inspect skinny command preallocated a Skinny connection after inspecting a Skinny message .
|A network state container was reserved for host ip-address connected to zone zone-name .
|A network state container for host ip-address connected to zone zone-name was removed.
|User authentication succeeded when accessing theASA.
|User authentication failed when attempting to access theASA.
|The specified user logged out.
|he ASA denied an attempt to connect to the interface service.
|ASA is negotiating a tunnel as the initiator.
|An IPsec tunnel has been started
|The ASA was not able to find security policy information for the private networks or hosts indicated in the message.
|NAT-Traversal auto-detected NAT.
|"The ASA has received a duplicate of a previous Phase 1 or Phase 2 packet
|and will transmit the last message."
|The ASA has received a duplicate first packet for a tunnel that the ASA is already aware of and negotiating.
|"An error has occurred
|which may be the result of a configuration error either on the headend or remote access client."
|This syslog ID is used for IKE warning messages which can display multiple other syslogs.
|"Notification status information appears
|which is used to track events that have occurred."
|"Information status details appear
|which are used to track events that have occurred."
|A remote WebVPN user has logged in successfully and the login information has been installed on the standby unit.
|The TCP or UDP connection was established with or without compression.
|The SVC terminated either with or without compression.
|The first SVC connection was established for the SVC session.
|A reconnection attempt has occurred. An SVC connection is replacing a previously closed connection.
|A large packet was sent to the client. The source of the packet may not be aware of the MTU of the client.
|An SVC connection was terminated for the given reason.
|The specified address has been assigned to the given user.
|"The SSL handshake has started with the remote device
|which can be a client or server."
|The SSL handshake has completed successfully with the remote device.
|The remote device is trying to resume a previous SSL session.
|The SSL handshake with the remote device has failed.
|The SSL session has terminated.
|"With server-name indication (SNI)
|the certificate used for a given connection may not be the certificate configured on the interface."
|The specified object in the message has exceeded the specified burst threshold rate or average threshold rate.
|The DAP records that were selected for the connection are listed.
|The client has assigned the given address from a local pool.
|The ASA was unable to find any type of authentication information in the tunnel group that it could use to authenticate itself to the peer.
|Smart license authentication failed.
<166>COM-ASA %ASA-6-605005: Login permitted from 10.10.10.10/60358 to vpn:10.10.9.1/ssh for user "johndoe"
metadata.event_timestamp = "2021-08-05T11:12:35.013051Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Cisco"
metadata.product_name = "ASA"
metadata.product_event_type = "ASA-6-605005"
metadata.ingested_timestamp = "2021-08-05T11:12:35.013051Z"
principal.user.userid = "johndoe"
principal.ip = "10.10.10.10"
principal.port = 60358
target.ip = "10.10.9.1"
observer.hostname = "COM-ASA"
security_result.category_details = "605005"
security_result.action = "ALLOW"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "Informational message only"
network.application_protocol = "SSH"
This product currently does not have any Parser-based Alerting