Cisco Asa

LogZilla App Store application: Cisco Asa

Overview

Cisco Adaptive Security Appliance (ASA) is a network security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. ASA devices provide comprehensive security services for networks of all sizes, from small offices to large enterprise data centers.

App Function

The Cisco ASA app performs the following functions:

  • Parse Cisco ASA syslog messages and extract key network security information
  • Create user tags for source and destination IP addresses, ports, and interfaces
  • Process connection buildup and teardown events for network monitoring
  • Extract user authentication and authorization details
  • Generate mapped IP address information for NAT translations

Vendor Documentation

Log Source Details

ItemValue
VendorCisco
Device TypeAdaptive Security Appliance (ASA)
Collection MethodSyslog
Configurable Log Output?yes
Log Source Typekey-value
ExceptionsN/A

Incoming Log Format

Cisco ASA logs use standard syslog format with Cisco mnemonic identifiers. Messages follow the pattern:

text
%ASA-[severity]-[message_id]: [message_text]

The message text contains structured information about security events, connection states, authentication attempts, and network translations.

Parsed Metadata Fields

The Cisco ASA app extracts the following user tags from log messages:

TaggedTag NameExampleDescription
SrcIP192.168.1.100Source IP address
DstIP10.0.0.50Destination IP address
SrcIP Mapped203.0.113.10Mapped source IP (NAT)
DstIP Mapped198.51.100.20Mapped destination IP (NAT)
SrcIntinsideSource interface name
DstIntoutsideDestination interface name
SrcPort443Source port number
DstPort80Destination port number
Userjohn.doeUsername for authentication events
ProtocolTCPNetwork protocol

High-Cardinality (HC) Tags

  • SrcIP
  • DstIP
  • SrcIP Mapped
  • DstIP Mapped

Supported Message Types

The app processes various ASA message types including:

  • 110002: Failed to locate egress interface
  • 113009: AAA retrieved default group policy
  • 305009: Built dynamic/static translation (NAT)
  • 305010: Teardown dynamic/static translation
  • 106023: Connection denied
  • 106100: Access-list denied
  • 302013: Built inbound TCP connection
  • 302014: Teardown TCP connection
  • 302015: Built UDP connection
  • 302016: Teardown UDP connection

Log Examples

Dynamic NAT Translation

text
%ASA-6-305009: Built dynamic translation from inside:192.168.1.100 to outside:203.0.113.10

Connection Buildup

text
%ASA-6-302013: Built inbound TCP connection 12345 for outside:203.0.113.50/443 (203.0.113.50/443) to inside:192.168.1.100/54321 (192.168.1.100/54321)

Access Denied

text
%ASA-4-106023: Deny tcp src outside:203.0.113.100/12345 dst inside:192.168.1.50/80 by access-group "outside_access_in" [0x0, 0x0]

Authentication Event

text
%ASA-6-113009: AAA retrieved default group policy (VPN_Policy) for user = john.doe
Cisco Asa | LogZilla Documentation