Cisco ASA Log Analysis in Elastic


If you’re new to reviewing SIEM logs and you come across a Cisco firewall, you’ll find out that Cisco ASA logs can be challenging to interpret. Unlike most other vendors, Cisco decided to leave out the word “allowed” or “accepted” from log data of allowed traffic. Take a Fortigate firewall for instance:

Pretty easy to tell that traffic was allowed through the firewall. Now here’s a Cisco ASA:

This is allowed traffic. Like with the Fortigate we see connection and end, but we don’t see allowed. Thanks Cisco. So what does denied traffic look like on the Cisco ASA?

There’s a lack of consistency here that can make those unfamiliar with the ASA say to themselves “ok, I see denied traffic, now lets see allowed traffic” and then start to second guess themselves when they don’t find anything that says “allowed”. But wait, there’s more! Just when you thought it made sense, there are other event types:

So what does this mean? Fortunately Cisco includes an event code field with every syslog event. These syslog codes tell you exactly what you’re looking at and are very helpful when you’re trying to wrap your brain around the log that’s in front of you. Take this particular info event from above.

See that event.code field? Cisco can tell you exactly what your event means if you look that code up in their docs. At the time of this post, you can find those codes here: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html

So for this event – code 302013 – Cisco tells us that a TCP connection between two hosts was created.

When you start to look through your logs and find the event codes, and then look those codes up, you’ll see some common ones for allowed and denied traffic. Hopefully you’ll have a better understanding of what you’re looking at!