Cisco ASA
Cisco ASA syslog: stateful connection builds/teardowns, ACL hits, NAT, VPN handshakes, IPS verdicts, failover and hardware alerts.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (59)
| Field | Type |
|---|---|
cisco.asa.event.msgRaw Complete unparsed ASA syslog message text as received from the device. | string |
cisco.asa.srcPort Source port number on the ASA from which the session originated. | pint |
cisco.asa.remoteAddressRange CIDR block or range of remote IP addresses matched by the ASA policy. | string |
cisco.asa.remoteIp Remote peer's IP address in the traffic flow. | string |
cisco.asa.subject Certificate subject or identity string presented by the peer. | string |
cisco.asa.spiIn Security Parameter Index (SPI) for inbound IPsec traffic. | string |
cisco.asa.user Authenticated username associated with the session. | string |
cisco.asa.dstInterface Logical interface on the ASA where the traffic was destined. | string |
cisco.asa.dropRateTotal Total number of packets dropped on this interface since last reset. | plong |
cisco.asa.duration Duration of the session or connection (in seconds). | string |
cisco.asa.proto IP protocol used in the session (e.g., TCP, UDP, ESP). | string |
cisco.asa.spiOut Security Parameter Index (SPI) for outbound IPsec traffic. | string |
cisco.asa.event.category List of event category tags assigned by the ASA for logging purposes. | text_general [] |
cisco.asa.dstIp Destination IP address on the ASA where the traffic was sent. | string |
cisco.asa.reason Free-form text describing the cause of an event (e.g., deny reason). | text_general |
cisco.asa.threshold Configured threshold value for rate-based events (e.g., connection rate limit). | plong |
cisco.asa.msgid Numeric message ID corresponding to the ASA log message type. | string |
cisco.asa.localPort Local port number on the ASA to which the session was destined. | pint |
cisco.asa.command Administrative command issued in the ASA exec mode. | text_general |
cisco.asa.dstPort Destination port number on the ASA to which the session was sent. | pint |
cisco.asa.session Unique identifier for the ASA session, used to correlate log entries. | string |
cisco.asa.tunnelType Type of VPN tunnel (e.g., RemoteAccess, SiteToSite). | string |
cisco.asa.event.parsingState Parser state or stage when the ASA message was processed. | string |
cisco.asa.pool Name of the IP address pool assigned to a remote access VPN user. | string |
cisco.asa.serialNumber Serial number of the ASA appliance generating the log. | string |
cisco.asa.trustpoint Name of the trustpoint (certificate authority) used for PKI operations. | string |
cisco.asa.remotePortRange Range of remote ports matched by the ASA ACL or policy. | string |
cisco.asa.event.level Numeric severity level of the ASA log message (0-7). | pint |
cisco.asa.event.id Unique event ID for the specific ASA log entry. | plong |
cisco.asa.event.msg Human-readable text of the ASA log message. | text_general |
cisco.asa.sessionType Classification of the session (e.g., InsideToOutside, OutsideToInside). | string |
cisco.asa.spi Combined SPI string for inbound and outbound IPsec SAs. | string |
cisco.asa.app Application name or protocol identified by the ASA DPI engine. | string |
cisco.asa.group VPN group or user group name assigned to the session. | string |
cisco.asa.srcInterface ASA interface on which the traffic arrived. | string |
cisco.asa.bytesSent Number of bytes sent to the remote peer. | plong |
cisco.asa.remotePort Remote peer's port number in the session. | pint |
cisco.asa.issuer Certificate authority that issued the peer's certificate. | string |
cisco.asa.bytesRecv Number of bytes received from the remote peer. | plong |
cisco.asa.localProto Protocol on the ASA side (e.g., tcp, udp) for the session. | string |
cisco.asa.msgSeverity Textual severity string of the ASA log message (e.g., Informational, Warning). | string |
cisco.asa.bytes Total bytes transferred (sent + received) in the session. | plong |
cisco.asa.policy ACL or policy name that matched the traffic entry. | string |
cisco.asa.remoteProto Protocol used by the remote peer (e.g., tcp, udp). | string |
cisco.asa.direction Traffic direction relative to the ASA (inbound or outbound). | string |
cisco.asa.srcIp Source IP address of the session on the ASA. | string |
cisco.asa.ipv6 Flag or text indicating IPv6 usage (present if session uses IPv6). | string |
cisco.asa.server Server identifier or hostname configured on the ASA. | string |
cisco.asa.new Flag indicating a new session or SA creation. | string |
cisco.asa.dropRateBurst Burst drop rate measured on the interface. | plong |
cisco.asa.ipv4 Flag or text indicating IPv4 usage (present if session uses IPv4). | string |
cisco.asa.dropRateAverage Average packet drop rate on the interface. | plong |
cisco.asa.userAgent User-agent string if HTTP inspection is applied. | text_general |
cisco.asa.type Message type or category (e.g., Log, Error, Config). | string |
cisco.asa.old Previous value of a parameter before an update event. | string |
cisco.asa.code Alphanumeric code representing the ASA message subtype. | string |
cisco.asa.localIp Local IP address on the ASA for the session endpoint. | string |
cisco.asa.localPortRange Range of local ports allocated for the session. | string |
cisco.asa.localAddressRange Range of local IP addresses available for allocation. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.