Cisco ASA

Cisco Adaptive Security Appliance (ASA) devices are capable of sending their logs to a remote syslog destination via TCP or UDP. When sending logs over the network, TCP is the preferred protocol since packet loss is possible with UDP, especially when network traffic is high.

Log sample

Apr 15 2017 00:21:14 192.168.12.1 : %ASA-5-111010: User 'john', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'
Apr 15 2017 00:22:27 192.168.12.1 : %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:81.24.28.226 dst inside:72.142.17.10 (type 3, code 0) on outside interface. Original IP payload: udp src 72.142.17.10/40998 dst 194.153.237.66/53.
Apr 15 2017 00:22:42 192.168.12.1 : %ASA-3-710003: TCP access denied by ACL from 179.236.133.160/8949 to outside:72.142.18.38/23

For more details about configuring Cisco logging via syslog on Cisco ASA, see the Cisco configuration guide for the ASA or Adaptive Security Device Manager (ASDM) version in use.

The steps below have been tested with ASA 9.x and ASDM 7.x, but should also work with other versions.

Forwarding Cisco ASA logs over TCP

Configure NXLog Agent for receiving syslog via TCP (see the examples below), then restart NXLog Agent.
Make sure NXLog Agent is accessible from each of the ASA devices being configured.
Set up syslog logging using either the command line or ASDM. See the following sections.

Example 1. Receiving Cisco ASA logs

This example shows Cisco ASA logs as received and processed by NXLog Agent.

nxlog.conf

<Extension syslog>
    Module    xm_syslog
</Extension>

<Extension json>
    Module    xm_json
</Extension>

<Input in_syslog_tcp>
    Module    im_tcp
    Host      0.0.0.0
    Port      1514
    Exec      parse_syslog();
</Input>

<Output file>
    Module    om_file
    File      "/var/log/asa.log"
    Exec      to_json();

The following output log sample resulted from the input at the beginning of the chapter being processed by this configuration.

Output sample

{
  "MessageSourceAddress": "192.168.12.1",
  "EventReceivedTime": "2017-04-15 00:19:53",
  "SourceModuleName": "in_syslog_tcp",
  "SourceModuleType": "im_tcp",
  "SyslogFacilityValue": 20,
  "SyslogFacility": "LOCAL4",
  "SyslogSeverityValue": 5,
  "SyslogSeverity": "NOTICE",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Hostname": "192.168.12.1",
  "EventTime": "2017-04-15 00:21:14",
  "Message": "%ASA-5-111010: User 'john', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'"
}
{
  "MessageSourceAddress": "192.168.12.1",
  "EventReceivedTime": "2017-04-15 00:21:06",
  "SourceModuleName": "in_syslog_tcp",
  "SourceModuleType": "im_tcp",
  "SyslogFacilityValue": 20,
  "SyslogFacility": "LOCAL4",
  "SyslogSeverityValue": 4,
  "SyslogSeverity": "WARNING",
  "SeverityValue": 3,
  "Severity": "WARNING",
  "Hostname": "192.168.12.1",
  "EventTime": "2017-04-15 00:22:27",
  "Message": "%ASA-4-313005: No matching connection for ICMP error message: icmp src outside:81.24.28.226 dst inside:72.142.17.10 (type 3, code 0) on outside interface. Original IP payload: udp src 72.142.17.10/40998 dst 194.153.237.66/53."
}
{
  "MessageSourceAddress": "192.168.12.1",
  "EventReceivedTime": "2017-04-15 00:21:21",
  "SourceModuleName": "in_syslog_tcp",
  "SourceModuleType": "im_tcp",
  "SyslogFacilityValue": 20,
  "SyslogFacility": "LOCAL4",
  "SyslogSeverityValue": 3,
  "SyslogSeverity": "ERR",
  "SeverityValue": 4,
  "Severity": "ERROR",
  "Hostname": "192.168.12.1",
  "EventTime": "2017-04-15 00:22:42",
  "Message": "%ASA-3-710003: TCP access denied by ACL from 179.236.133.160/8949 to outside:72.142.18.38/23"
}

The contents of the message can be parsed to extract additional fields.

Example 2. Extracting additional fields from Cisco logs

The following configuration uses regular expressions to parse additional key-value pairs from substrings embedded in the string value of $Message field. Once they have been parsed and added as new fields, a copy of the $Message field is made, given the name $ASAMessage, and assigned the remaining string value after the parsed substrings have been removed.

nxlog.conf

<Extension syslog>
    Module    xm_syslog
</Extension>

<Input in_syslog_tcp>
    Module    im_tcp
    Host      0.0.0.0
    Port      1514
    <Exec>
        parse_syslog();
        if $Message =~ /^%(ASA)-(\d)-(\d{6}): (.*)$/
        {
            $ASASeverityNumber = $2;
            $ASAMessageID = $3;
            $ASAMessage = $4;
        }
    </Exec>
</Input>

Output sample

{
  "MessageSourceAddress": "192.168.12.1",
  "EventReceivedTime": "2017-04-15 14:27:04",
  "SourceModuleName": "in_syslog_tcp",
  "SourceModuleType": "im_tcp",
  "SyslogFacilityValue": 20,
  "SyslogFacility": "LOCAL4",
  "SyslogSeverityValue": 3,
  "SyslogSeverity": "ERR",
  "SeverityValue": 4,
  "Severity": "ERROR",
  "Hostname": "  192.168.12.1",
  "EventTime": "2017-04-15 14:28:26",
  "Message": "%ASA-3-710003: TCP access denied by ACL from 117.247.81.21/52569 to outside:72.142.18.38/23",
  "ASASeverityNumber": "3",
  "ASAMessageID": "710003",
  "ASAMessage": "TCP access denied by ACL from 117.247.81.21/52569 to outside:72.142.18.38/23"
}

Further field extraction can be done based on message ID. Detailed information on existing IDs and their formats can be found in the Cisco ASA Series Syslog Messages book.

Example 3. Extracting fields according to the message ID

The following NXLog Agent configuration parses a very common firewall message: "TCP access denied by ACL". The regular expressions have been enhanced with pattern matching for parsing out the IP address/port for both the source and the destination.

nxlog.conf

<Extension syslog>
    Module    xm_syslog
</Extension>

<Input in_syslog_tcp>
    Module    im_tcp
    Host      0.0.0.0
    Port      1514
    <Exec>
        parse_syslog();
        if $Message =~ /(?x)^%ASA-3-710003:\ TCP\ access\ denied\ by\ ACL\ from
                        \ ([0-9.]*)\/([0-9]*)\ to\ outside:([0-9.]*)\/([0-9]*)/
        {
            $ASASeverityNumber = "3";
            $ASAMessageID = "710003";
            $ASAMessage = "TCP access denied by ACL";
            $ASASrcIP = $1;
            $ASASrcPort = $2;
            $ASADstIP = $3;
            $ASADstPort = $4;
        }
    </Exec>
</Input>

Output sample

{
  "MessageSourceAddress": "192.168.12.1",
  "EventReceivedTime": "2017-04-15 15:10:20",
  "SourceModuleName": "in_syslog_tcp",
  "SourceModuleType": "im_tcp",
  "SyslogFacilityValue": 20,
  "SyslogFacility": "LOCAL4",
  "SyslogSeverityValue": 3,
  "SyslogSeverity": "ERR",
  "SeverityValue": 4,
  "Severity": "ERROR",
  "Hostname": "192.168.12.1",
  "EventTime": "2017-04-15 15:11:43",
  "Message": "%ASA-3-710003: TCP access denied by ACL from 119.80.179.109/2083 to outside:72.142.18.38/23",
  "ASASeverityNumber": "3",
  "ASAMessageID": "710003",
  "ASAMessage": "TCP access denied by ACL",
  "ASASrcIP": "119.80.179.109",
  "ASASrcPort": "2083",
  "ASADstIP": "72.142.18.38",
  "ASADstPort": "23"
}

Configuring via the command line

To configure Cisco ASA syslog logging from the command line, follow these steps.

Log in to the ASA device via SSH.
Enable logging.
```
# logging enable
```
In case of a High Availability (HA) pair, enable logging on the standby unit.
```
# logging standby
```
Specify the syslog facility. Replace FACILITY with a number from 16 to 23, corresponding to local0 through local7 (the default is 20, or local4).
```
# logging facility FACILITY
```
Specify the severity level. Replace LEVEL with a number from 0 to 7. Use the maximum level for which messages should be generated (severity level 3 will produce messages for levels 3, 2, 1, and 0). The levels correspond to the syslog severities.
```
# logging trap LEVEL
```
Allow ASA to pass traffic when the syslog server is not available.
```
# logging permit-hostdown
```
If logs are being sent via TCP and this setting is not configured, ASA will stop passing traffic when the syslog server is unavailable.
Configure the syslog host. Replace IP_ADDRESS and PORT with the remote IP address and port that NXLog Agent is listening on.
```
# logging host inside IP_ADDRESS tcp/PORT
```
To enable SSL/TLS for connections to NXLog Agent, add secure at the end of the above command. The im_ssl module will need to be used when configuring NXLog Agent.
Example 4. Redirecting logs to an IP address
This command configures 192.168.6.143 as the syslog host, with TCP port 1514.
# logging host inside 192.168.6.143 tcp/1514
Apply the configuration.
```
# write memory
```

Configuring via ASDM

To configure remote logging via Cisco ASDM, follow these steps.

Connect and log in to the GUI.
Go to Configuration > Device Management > Logging > Logging Setup and make sure Enable Logging is selected. In case of a High Availability (HA) pair, Enable logging on the failover standby unit should also be selected. Click Apply.
Go to Syslog Setup and specify the Facility Code (the default is 20). Click Apply.
Go to Logging Filters, select Syslog Servers, click Edit and specify the severity level. Click OK and then Apply.
Go to Syslog Servers and select Allow user traffic to pass when TCP syslog server is down. Click Apply.

This setting is important to avoid downtime during TCP logging in case the syslog server is unavailable.
Under Syslog Servers, click Add and specify the interface, remote IP address, protocol and port. Click OK and then Apply.

To enable SSL/TLS for connections to NXLog Agent, select the Enable secure syslog using SSL/TLS option. The im_ssl module will need to be used when configuring NXLog Agent.
Click Save to save the configuration.

NetFlow from Cisco ASA

NetFlow is a protocol used by Cisco devices that provides the ability to send details about network traffic to a remote destination. NXLog Agent is capable of receiving NetFlow logs. The steps below outline the configuration required to send information about traffic passing through Cisco ASA to NXLog Agent via UDP.

Configure NXLog Agent for receiving NetFlow data via UDP/2162 (see the example below). Then restart NXLog Agent.
Make sure NXLog Agent is accessible from each of the ASA devices being configured.
Set up NetFlow logging on Cisco ASA, using either the command line or ASDM. See the following sections.

The steps below have been tested with ASA 9.x and ASDM 7.x, but should work for other versions also.

Example 5. Receiving NetFlow logs

This example shows NetFlow logs as received and processed by NXLog Agent.

nxlog.conf

<Extension netflow>
    Module       xm_netflow
</Extension>

<Extension json>
    Module       xm_json
</Extension>

<Input in_netflow_udp>
    Module       im_udp
    Host         0.0.0.0
    Port         2162
    InputType    netflow
</Input>

<Output file>
    Module       om_file
    File         "/var/log/netflow.log"
    Exec         to_json();
</Output>

Output sample

{
  "Version": 9,
  "SysUpTimeMilisec": 2374222958,
  "ExportTime": "2017-05-17 18:39:05",
  "TimeMsecStart": "2017-05-17 18:38:04",
  "Protocol": 6,
  "SourcePort": 64394,
  "DestPort": 443,
  "SourceIpV4Address": "192.168.13.37",
  "DestIpV4Address": "172.217.3.135",
  "inputSNMPIface": 4,
  "outputSNMPIface": 3,
  "ASAeventTime": "2017-05-17 18:39:05",
  "ASAconnID": 41834207,
  "FNF_ICMPCode": 0,
  "FNF_ICMPType": 0,
  "ASAevent": 1,
  "ASAextEvent": 0,
  "ASA_XlateSourcePort": 64394,
  "ASA_XlateDestPort": 443,
  "ASA_V4XlateSourceAddr": "72.142.18.38",
  "ASA_V4XlateDestAddr": "172.217.3.135",
  "ASA_IngressACL": "433a1af1a925365e00000000",
  "ASA_EgressACL": "000000000000000000000000",
  "ASA_UserName20": "",
  "MessageSourceAddress": "192.168.12.1",
  "EventReceivedTime": "2017-05-17 18:36:32",
  "SourceModuleName": "udpin",
  "SourceModuleType": "im_udp"
}
{
  "Version": 9,
  "SysUpTimeMilisec": 2374222958,
  "ExportTime": "2017-05-17 18:39:05",
  "TimeMsecStart": "2017-05-17 18:38:04",
  "Protocol": 17,
  "SourcePort": 65080,
  "DestPort": 443,
  "SourceIpV4Address": "192.168.13.37",
  "DestIpV4Address": "216.58.216.206",
  "inputSNMPIface": 4,
  "outputSNMPIface": 3,
  "ASAeventTime": "2017-05-17 18:39:05",
  "ASAconnID": 41834203,
  "FNF_ICMPCode": 0,
  "FNF_ICMPType": 0,
  "ASAevent": 1,
  "ASAextEvent": 0,
  "ASA_XlateSourcePort": 65080,
  "ASA_XlateDestPort": 443,
  "ASA_V4XlateSourceAddr": "72.142.18.38",
  "ASA_V4XlateDestAddr": "216.58.216.206",
  "ASA_IngressACL": "433a1af1a925365e00000000",
  "ASA_EgressACL": "000000000000000000000000",
  "ASA_UserName20": "",
  "MessageSourceAddress": "192.168.12.1",
  "EventReceivedTime": "2017-05-17 18:36:32",
  "SourceModuleName": "udpin",
  "SourceModuleType": "im_udp"
}

Configuring NetFlow via the command line

To configure Cisco NetFlow logging, follow these steps.

Log in to ASA via SSH.
Create a NetFlow destination. Replace IP_ADDRESS and PORT with the address and port that NXLog Agent is listening on.
```
# flow-export destination inside IP_ADDRESS PORT
```
Create an access list matching the traffic that needs to be logged. Replace ACL_NAME with a name for the access list. Replace PROTOCOL, SOURCE_IP, and DESTINATION_IP with appropriate values corresponding to the traffic to be matched.
```
# access-list ACL_NAME extended permit PROTOCOL SOURCE_IP DESTINATION_IP
```
Create a class map with the access list. Replace ACL_NAME with the access list name used in the previous step.
```
# class-map global-class
# match access-list ACL_NAME
```
Add NetFlow destination to global policy. Replace IP_ADDRESS with the address that NXLog Agent is listening on.
```
# policy-map global_policy
# class global-class
# flow-export event-type all destination IP_ADDRESS
```

Example 6. Logging all traffic to an IP address

These commands enable NetFlow logging of all traffic to 192.168.6.143 via UDP port 2162.

# flow-export destination inside 192.168.6.143 2162
# access-list global_mpc extended permit ip any any
# class-map global-class
# match access-list global_mpc
# policy-map global_policy
# class global-class
# flow-export event-type all destination 192.168.6.143

Configuring NetFlow via ASDM

To configure Cisco ASA NetFlow logging via ASDM, follow these steps.

Connect and log in to the GUI.
Go to Configuration > Device Management > Logging > NetFlow.
Click Add and specify the interface, remote IP address, and port that NXLog Agent is listening on.
Go to Configuration > Firewall > Service Policy Rules.
Click Add, switch to Global, and click Next.
Select Source and Destination IP Address (uses ACL) and click Next.
Specify the source and destination criteria. The example below matches all traffic.
Go to the NetFlow tab and add the NetFlow destination created during the first step. Make sure the Send option is selected.
Click OK and Finish.

Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog Agent version 5.5.7535
Cisco ASA 9.x
Cisco ASDM 7.x

Last revision: 23 August 2022