Using nsel and syslog messages – Cisco ASA 5505 User Manual
Page 1766
78-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 78 Configuring NetFlow Secure Event Logging (NSEL)
Information About NSEL
•
Tracks flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data
records.
•
Triggers flow-update events and generates appropriate NSEL data records.
•
Defines and exports templates that describe the progression of a flow. Templates describe the format
of the data records that are exported through NetFlow. Each event has several record formats or
templates associated with it.
•
Tracks configured NSEL collectors and delivers templates and data records to these configured
NSEL collectors through NetFlow over UDP only.
•
Sends template information periodically to NSEL collectors. Collectors receive template
definitions, normally before receiving flow records.
•
Filters NSEL events based on the traffic and event type through Modular Policy Framework, then
sends records to different collectors. Traffic is matched based on the order in which classes are
configured. After a match is found, no other classes are checked. The supported event types are
flow-create, flow-denied, flow-teardown, flow-update, and all. Records can be sent to different
collectors. For example, with two collectors, you can do the following:
–
Log all flow-denied events that match access list 1 to collector 1.
–
Log all flow-create events to collector 1.
–
Log all flow-teardown events to collector 2.
–
Log all flow-update events to collector 1.
•
Delays the export of flow-create events.
Using NSEL and Syslog Messages
lists the syslog messages that have an equivalent NSEL event, event ID, and extended event
ID. The extended event ID provides more detail about the event (for example, which ACL—ingress or
egress—has denied a flow).
Note
Enabling NetFlow to export flow information makes the syslog messages that are listed in
redundant. In the interest of performance, we recommend that you disable redundant syslog messages,
because the same information is exported through NetFlow. You can enable or disable individual syslog
messages by following the procedure in the
“Disabling and Reenabling NetFlow-related Syslog
Messages” section on page 78-9
.
Table 78-1
Syslog Messages and Equivalent NSEL Events
Syslog Message
Description
NSEL Event ID
NSEL Extended Event ID
106100
Generated whenever an ACL is
encountered.
1—Flow was created (if the
ACL allowed the flow).
3—Flow was denied (if the
ACL denied the flow).
0—If the ACL allowed the flow.
1001—Flow was denied by the
ingress ACL.
1002—Flow was denied by the
egress ACL.
106015
A TCP flow was denied because
the first packet was not a SYN
packet.
3—Flow was denied.
1004—Flow was denied because
the first packet was not a TCP
SYN packet.