Cisco ASA Content Pack
The Cisco ASA (Adaptive Security Appliance) is a multipurpose firewall appliance from Cisco, typically used for packet filtering but also supporting stateful inspection, application inspection, NAT, DHCP, routing, and VPN. This technology pack processes Cisco ASA and Firepower logs, providing normalization and enrichment of common events of interest.
Supported Version(s)
-
Cisco ASA: up to version 9.x
-
Cisco Firepower: 7.1 and higher
Requirements
-
Configure Cisco ASA device(s) to transmit syslog to your Graylog server syslog input. See Cisco's documentation, Configure Adaptive Security Appliance (ASA) Syslog, for details.
-
Graylog raw or syslog input. The ASA syslog format may be rejected by a standard Graylog syslog input because it is not RFC-compliant; configure RFC 5424 output on the ASA to use a syslog input, or send the logs to a raw input instead.
-
Graylog Server 5.0.3 or later with a valid Enterprise license.
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:Cisco Device Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Cisco Devices Event Log Messages"
Log Format Example
%ASA-6-302013: Built outbound TCP connection 12345 for outside:203.0.113.10/443 (203.0.113.10/443) to inside:192.168.1.100/54321 (192.168.1.100/54321)
%ASA-6-302014: Teardown TCP connection 12345 for outside:203.0.113.10/443 to inside:192.168.1.100/54321 duration 0:00:05 bytes 4096 TCP FINs
%ASA-4-106023: Deny tcp src outside:91.218.115.144/42778 dst outside:12.41.64.11/53 by access-group "outside_access_in_1" [0x0, 0x0]
%ASA-6-605005: Login permitted from 192.168.1.10/22 to inside:192.168.1.1/ssh for user "admin"
%ASA-3-605004: Login failed from 192.168.1.10/22 to inside:192.168.1.1/ssh for user "baduser"
%ASA-5-111007: Begin configuration: 192.168.0.100 reading from http [POST]
%ASA-5-111008: User 'admin' executed the 'show running-config' command.
Jul 13 2021 14:13:19: %FTD-6-302014: Teardown TCP connection 8065 for inside:10.10.0.100/50511 to identity:172.10.124.136/51311 duration 0:00:00 bytes 422 TCP Reset-I
%ASA-1-338002: Threat-detection detected a host scan from outside:91.218.115.1, average rate 30 acl-drop per sec, is above configured rate-interval
%ASA-3-106001: Inbound TCP connection denied from 91.218.115.1/1234 to 192.168.1.1/80 flags SYN on interface outside
What is Provided
-
Parsing rules to extract Cisco ASA and Firepower logs into Graylog schema compatible fields.
-
Field extraction, normalization, and message enrichment for all supported event IDs.
-
GIM event categorization for 300+ event IDs.
-
Cisco ASA Spotlight dashboards: ASA/Firepower Overview (Overview, Network, Device Authentication, High Priority Messages tabs) and IDS/IPS Messages.
Events Processed by This Technology Pack
This technology pack supports parsing and enrichment for the following Cisco message type prefixes (all normalized to event_source_product = CISCO-ASA):
-
%ASA
-
%FTD
-
%NGIPS
-
%NGFW
GIM Categorization
GIM categorization is provided for the following event codes:
| cisco_event_code | gim_event_type_code | gim_event_type |
|---|---|---|
| 106001 | 120000 | network connection |
| 106002 | 120000 | network connection |
| 106006 | 120000 | network connection |
| 106007 | 120000 | network connection |
| 106015 | 120000 | network connection |
| 106016 | 300001 | network detection |
| 106017 | 300001 | network detection |
| 106018 | 120000 | network connection |
| 106100 | 120000 | network connection |
| 106102 | 120000 | network connection |
| 106103 | 120000 | network connection |
| 110002 | 120000 | network connection |
| 110003 | 120100 | network routing |
| 111007 | 211000 | service configuration change |
| 111008 | 211000 | service configuration change |
| 111009 | 211000 | service configuration change |
| 111010 | 211000 | service configuration change |
| 113004 | 100000 | logon |
| 113005 | 100000 | logon |
| 113006 | 102500 | logoff |
| 113007 | 112000 | account unlocked |
| 113008 | 100000 | logon |
| 113012 | 100000 | logon |
| 113021 | 100000 | logon |
| 302013 | 120200 | network connection initiated |
| 302014 | 120300 | network connection ended |
| 302015 | 120200 | network connection initiated |
| 302016 | 120300 | network connection ended |
| 302018 | 120300 | network connection ended |
| 302022 | 120200 | network connection initiated |
| 302023 | 120300 | network connection ended |
| 302024 | 120200 | network connection initiated |
| 302025 | 120300 | network connection ended |
| 302026 | 120200 | network connection initiated |
| 302027 | 120300 | network connection ended |
| 302036 | 120300 | network connection ended |
| 302303 | 120200 | network connection initiated |
| 302304 | 120300 | network connection ended |
| 302306 | 120300 | network connection ended |
| 313004 | 120000 | network connection |
| 338001 | 309999 | detection_message |
| 338002 | 309999 | detection_message |
| 338003 | 309999 | detection_message |
| 338004 | 309999 | detection_message |
| 338005 | 309999 | detection_message |
| 338006 | 309999 | detection_message |
| 338007 | 309999 | detection_message |
| 338008 | 309999 | detection_message |
| 338201 | 309999 | detection_message |
| 338202 | 309999 | detection_message |
| 338203 | 309999 | detection_message |
| 338204 | 309999 | detection_message |
| 400000 | 300001 | network detection |
| 400001 | 300001 | network detection |
| 400002 | 300001 | network detection |
| 400003 | 300001 | network detection |
| 400004 | 300001 | network detection |
| 400005 | 300001 | network detection |
| 400006 | 300001 | network detection |
| 400007 | 300001 | network detection |
| 400008 | 300001 | network detection |
| 400009 | 300001 | network detection |
| 400010 | 300001 | network detection |
| 400011 | 300001 | network detection |
| 400012 | 300001 | network detection |
| 400013 | 300001 | network detection |
| 400014 | 300001 | network detection |
| 400015 | 300001 | network detection |
| 400016 | 300001 | network detection |
| 400017 | 300001 | network detection |
| 400018 | 300001 | network detection |
| 400019 | 300001 | network detection |
| 400020 | 300001 | network detection |
| 400021 | 300001 | network detection |
| 400022 | 300001 | network detection |
| 400023 | 300001 | network detection |
| 400024 | 300001 | network detection |
| 400025 | 300001 | network detection |
| 400026 | 300001 | network detection |
| 400027 | 300001 | network detection |
| 400028 | 300001 | network detection |
| 400029 | 300001 | network detection |
| 400030 | 300001 | network detection |
| 400031 | 300001 | network detection |
| 400032 | 300001 | network detection |
| 400033 | 300001 | network detection |
| 400034 | 300001 | network detection |
| 400035 | 300001 | network detection |
| 400036 | 300001 | network detection |
| 400037 | 300001 | network detection |
| 400038 | 300001 | network detection |
| 400039 | 300001 | network detection |
| 400040 | 300001 | network detection |
| 400041 | 300001 | network detection |
| 400042 | 300001 | network detection |
| 400043 | 300001 | network detection |
| 400044 | 300001 | network detection |
| 400045 | 300001 | network detection |
| 400046 | 300001 | network detection |
| 400047 | 300001 | network detection |
| 400048 | 300001 | network detection |
| 400049 | 300001 | network detection |
| 400050 | 300001 | network detection |
| 410002 | 120000 | network connection |
| 421001 | 120000 | network connection |
| 500005 | 120000 | network connection |
| 502101 | 110000 | account created |
| 502102 | 110500 | account deleted |
| 507003 | 120000 | network connection |
| 604103 | 299999 | dhcp default event |
| 605004 | 100000 | logon |
| 605005 | 100000 | logon |
| 606001 | 100000 | logon |
| 606002 | 102500 | logoff |
| 606003 | 100000 | logon |
| 606004 | 102500 | logoff |
| 611101 | 100500 | credential validation |
| 611102 | 100500 | credential validation |
| 611103 | 102500 | logoff |
| 710002 | 120000 | network connection |
| 710003 | 120000 | network connection |
| 710005 | 120000 | network connection |
| 710006 | 120000 | network connection |
| 746014 | 140200 | dns response |
| 746015 | 140200 | dns response |
| 746016 | 140300 | dns error |
| 772003 | 100000 | logon |
| 772004 | 100000 | logon |
| 772005 | 100000 | logon |
| 772006 | 100000 | logon |
| 815002 | 120000 | network connection |
Cisco ASA Spotlight
The Cisco ASA Spotlight offers two dashboards for monitoring Cisco ASA and Firepower events: an ASA/Firepower Overview dashboard with four tabs (Overview, Network, Device Authentication, High Priority Messages) and an IDS/IPS Messages dashboard.
ASA/Firepower Overview
Network
Device Authentication
High Priority Messages
IDS/IPS Messages
