Using nsel and syslog messages – Cisco ASA 5505 User Manual
Page 1766
 
78-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 78 Configuring NetFlow Secure Event Logging (NSEL)
Information About NSEL
•
Tracks flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data 
records. 
•
Triggers flow-update events and generates appropriate NSEL data records.
•
Defines and exports templates that describe the progression of a flow. Templates describe the format 
of the data records that are exported through NetFlow. Each event has several record formats or 
templates associated with it. 
•
Tracks configured NSEL collectors and delivers templates and data records to these configured 
NSEL collectors through NetFlow over UDP only. 
•
Sends template information periodically to NSEL collectors. Collectors receive template 
definitions, normally before receiving flow records. 
•
Filters NSEL events based on the traffic and event type through Modular Policy Framework, then 
sends records to different collectors. Traffic is matched based on the order in which classes are 
configured. After a match is found, no other classes are checked. The supported event types are 
flow-create, flow-denied, flow-teardown, flow-update, and all. Records can be sent to different 
collectors. For example, with two collectors, you can do the following:
–
Log all flow-denied events that match access list 1 to collector 1.
–
Log all flow-create events to collector 1.
–
Log all flow-teardown events to collector 2.
–
Log all flow-update events to collector 1.
•
Delays the export of flow-create events.
Using NSEL and Syslog Messages
lists the syslog messages that have an equivalent NSEL event, event ID, and extended event
ID. The extended event ID provides more detail about the event (for example, which ACL—ingress or 
egress—has denied a flow). 
Note
Enabling NetFlow to export flow information makes the syslog messages that are listed in
redundant. In the interest of performance, we recommend that you disable redundant syslog messages, 
because the same information is exported through NetFlow. You can enable or disable individual syslog 
messages by following the procedure in the 
“Disabling and Reenabling NetFlow-related Syslog
Messages” section on page 78-9
.
Table 78-1
Syslog Messages and Equivalent NSEL Events
Syslog Message
Description
NSEL Event ID
NSEL Extended Event ID
106100
Generated whenever an ACL is 
encountered.
1—Flow was created (if the 
ACL allowed the flow).
3—Flow was denied (if the 
ACL denied the flow).
0—If the ACL allowed the flow.
1001—Flow was denied by the 
ingress ACL.
1002—Flow was denied by the 
egress ACL.
106015
A TCP flow was denied because 
the first packet was not a SYN 
packet.
3—Flow was denied.
1004—Flow was denied because 
the first packet was not a TCP 
SYN packet.