Cisco ASA Syslog Analysis
This skill teaches you how to read, parse, and interpret log messages generated by Cisco ASA firewalls. All ASA logs are delivered via the syslog protocol, so understanding syslog is foundational before working with ASA-specific content.
Part 1: Syslog Protocol Foundation
All Cisco ASA log messages are transported and formatted using the syslog standard (RFC 3164 / RFC 5424). You must understand syslog before interpreting ASA messages.
Severity Levels
Every syslog message carries a numeric severity (0 = most critical, 7 = least critical):
| Level | Keyword | Meaning |
|---|
| 0 | Emergency | System is unusable |
| 1 |
Alert | Immediate action required |
| 2 | Critical | Critical conditions |
| 3 | Error | Error conditions |
| 4 | Warning | Warning conditions |
| 5 | Notice | Normal but significant events |
| 6 | Informational | Routine informational messages |
| 7 | Debug | Verbose diagnostic output |
Facility Codes
Facility codes indicate the source subsystem (0-23). Cisco ASA uses local4 (code 20) by default, but this is configurable on the device.
PRI Value
The PRI header encodes both facility and severity:
PRI = (Facility x 8) + Severity
Example: local4 (20) + Informational (6) -> (20 x 8) + 6 = 166, shown as <166> in the log header. This is the most common PRI value seen in ASA logs.
RFC 3164 Format (Traditional)
TIMESTAMP HOSTNAME TAG: MESSAGE
Example:
<166>Jan 15 10:22:01 fw01 : %ASA-6-302013: Built outbound TCP connection...
RFC 5424 Format (ASA 9.10+)
Enabled via "logging timestamp rfc5424". Uses ISO 8601 UTC timestamps:
VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA MSG
Example:
<166>1 2018-06-27T12:17:46Z asa - - - %ASA-6-110002: Failed to locate egress interface...
Part 2: Cisco ASA Log Format
Core Message Structure
Every ASA event message follows this pattern, regardless of syslog envelope:
%ASA-severity-messageid: messagetext
| Field | Description |
|---|
| %ASA | Fixed literal prefix on all ASA messages |
| severity |
Single digit 0-7 matching syslog severity levels above |
| message_id | 6-digit numeric ID uniquely identifying the event type |
| message_text | Human-readable description with variable substitutions |
Full Log Line with Syslog Envelope
TIMESTAMP HOSTNAME : %ASA-severity-messageid: messagetext
Real example (RFC 3164):
<166>Jan 15 10:22:01 fw01 : %ASA-6-302013: Built outbound TCP connection 12345 for outside:203.0.113.1/443 (203.0.113.1/443) to inside:192.168.1.100/54321 (192.168.1.100/54321)
Real example (RFC 5424):
<166>1 2024-01-15T10:22:01Z fw01 - - - %ASA-6-302013: Built outbound TCP connection...
Message ID Numbering and Categories
The 6-digit message ID encodes the functional category in its first 3 digits:
| Range | Category |
|---|
| 1xxxxx | System, interfaces, failover, hardware |
| 2xxxxx |
VPN failover, high availability |
| 3xxxxx | Firewall, connection tracking, NAT |
| 4xxxxx | Security, IPS, ACL, threat detection |
| 5xxxxx | User authentication, identity |
| 6xxxxx | VPN crypto, IPSec, SSL, remote access |
| 7xxxxx | Application inspection, protocol handling |
| 8xxxxx | Management, platform, clustering |
Common Variable Tokens
ASA message text uses descriptive named placeholders:
| Token | Meaning |
|---|
| interfacename | ASA interface (e.g., inside, outside) |
| srcip/port |
Source IP and port |
| dst_ip/port | Destination IP and port |
| protocol | IP protocol (TCP, UDP, ICMP, etc.) |
| conn_id | Unique connection tracking number |
| direction | inbound or outbound |
| reason | Cause of event (e.g., SYN Timeout, FIN) |
| username | Authenticated user identity |
| group | VPN tunnel group or policy name |
| access_list | Name of the ACL that matched |
| action | permit or deny |
Parsing Regex
Extract the core ASA fields from any log line:
%ASA-(?P\d)-(?Pid>\d{6}):\s+(?Ptext>.+)
Full line including syslog envelope:
^(?P\S+\s+\S+\s+\S+|\S+T\S+Z)\s+(?P\S+)\s+:\s+%ASA-(?P\d)-(?Pid>\d{6}):\s+(?Ptext>.+)$
Guidelines
- - Always extract the messageid first -- it uniquely identifies the event type
- Check severity immediately: levels 1-3 indicate critical/error conditions requiring attention; 6-7 are routine
- Use the first 3 digits of the messageid to identify the functional area before looking up details
- ASA logs are interface-aware -- always note which interface (inside, outside, dmz) events occur on, as it provides essential network direction context
- Watch for paired messages: ASA often emits build/teardown pairs (e.g., 302013 "Built" + 302014 "Teardown") that together describe the full lifecycle of a connection
- For detailed per-message-ID definitions (message text templates, variable meanings, recommended actions), consult the reference files indexed below
Reference Files
Detailed documentation for each message ID is maintained in separate files organized by range, matching Cisco's official documentation structure:
| File | Message ID Range |
|---|
| INLINECODE0 | 101001 - 199027 |
| INLINECODE1 |
201002 - 219002 |
|
references/Syslog Messages 302003 to 342008.md | 302003 - 342008 |
|
references/Syslog Messages 400000 to 450002.md | 400000 - 450002 |
|
references/Syslog Messages 500001 to 520025.md | 500001 - 520025 |
|
references/Syslog Messages 602101 to 622102.md | 602101 - 622102 |
|
references/Syslog Messages 701001 to 714011.md | 701001 - 714011 |
|
references/Syslog Messages 715001 to 721019.md | 715001 - 721019 |
|
references/Syslog Messages 722001 to 776020.md | 722001 - 776020 |
|
references/Syslog Messages 776201 to 833333.md | 776201 - 833333 |
For serverity levels, refer to �INLINECODE10
For overall information of Cisco ASA syslog messages, refer to �INLINECODE11
Official Cisco source: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog.html
Cisco ASA 系统日志分析
本技能将教你如何读取、解析和解读 Cisco ASA 防火墙生成的日志消息。所有 ASA 日志均通过系统日志协议传输,因此在处理 ASA 特定内容之前,理解系统日志是基础。
第1部分:系统日志协议基础
所有 Cisco ASA 日志消息均使用系统日志标准(RFC 3164 / RFC 5424)进行传输和格式化。在解读 ASA 消息之前,你必须理解系统日志。
严重级别
每条系统日志消息都带有一个数字严重级别(0 = 最严重,7 = 最不严重):
警报 | 需要立即采取行动 |
| 2 | 严重 | 严重状况 |
| 3 | 错误 | 错误状况 |
| 4 | 警告 | 警告状况 |
| 5 | 通知 | 正常但重要的事件 |
| 6 | 信息 | 常规信息性消息 |
| 7 | 调试 | 详细的诊断输出 |
设施代码
设施代码指示源子系统(0-23)。Cisco ASA 默认使用 local4(代码 20),但可在设备上进行配置。
PRI 值
PRI 头部同时编码了设施和严重级别:
PRI = (设施 x 8) + 严重级别
示例:local4 (20) + 信息 (6) -> (20 x 8) + 6 = 166,在日志头部显示为 <166>。这是 ASA 日志中最常见的 PRI 值。
RFC 3164 格式(传统格式)
时间戳 主机名 标签: 消息
示例:
<166>Jan 15 10:22:01 fw01 : %ASA-6-302013: 已建立出站 TCP 连接...
RFC 5424 格式(ASA 9.10+)
通过 logging timestamp rfc5424 启用。使用 ISO 8601 UTC 时间戳:
版本 时间戳 主机名 应用名 进程ID 消息ID 结构化数据 消息
示例:
<166>1 2018-06-27T12:17:46Z asa - - - %ASA-6-110002: 未能定位出口接口...
第2部分:Cisco ASA 日志格式
核心消息结构
无论系统日志封装如何,每条 ASA 事件消息都遵循以下模式:
%ASA-严重级别-消息ID: 消息文本
| 字段 | 描述 |
|---|
| %ASA | 所有 ASA 消息上的固定文字前缀 |
| 严重级别 |
单个数字 0-7,与上述系统日志严重级别对应 |
| 消息ID | 6位数字ID,唯一标识事件类型 |
| 消息文本 | 带变量替换的人类可读描述 |
带系统日志封装的完整日志行
时间戳 主机名 : %ASA-严重级别-消息ID: 消息文本
实际示例(RFC 3164):
<166>Jan 15 10:22:01 fw01 : %ASA-6-302013: 已建立出站 TCP 连接 12345,从外部:203.0.113.1/443 (203.0.113.1/443) 到内部:192.168.1.100/54321 (192.168.1.100/54321)
实际示例(RFC 5424):
<166>1 2024-01-15T10:22:01Z fw01 - - - %ASA-6-302013: 已建立出站 TCP 连接...
消息ID编号和分类
6位消息ID的前3位编码了功能类别:
| 范围 | 类别 |
|---|
| 1xxxxx | 系统、接口、故障切换、硬件 |
| 2xxxxx |
VPN 故障切换、高可用性 |
| 3xxxxx | 防火墙、连接跟踪、NAT |
| 4xxxxx | 安全、IPS、ACL、威胁检测 |
| 5xxxxx | 用户认证、身份 |
| 6xxxxx | VPN 加密、IPSec、SSL、远程访问 |
| 7xxxxx | 应用检测、协议处理 |
| 8xxxxx | 管理、平台、集群 |
常见变量标记
ASA 消息文本使用描述性命名占位符:
| 标记 | 含义 |
|---|
| interfacename | ASA 接口(例如:内部、外部) |
| srcip/port |
源 IP 和端口 |
| dst_ip/port | 目标 IP 和端口 |
| protocol | IP 协议(TCP、UDP、ICMP 等) |
| conn_id | 唯一连接跟踪编号 |
| direction | 入站或出站 |
| reason | 事件原因(例如:SYN 超时、FIN) |
| username | 已认证用户身份 |
| group | VPN 隧道组或策略名称 |
| access_list | 匹配的 ACL 名称 |
| action | 允许或拒绝 |
解析正则表达式
从任何日志行中提取核心 ASA 字段:
%ASA-(?P\d)-(?Pid>\d{6}):\s+(?Ptext>.+)
包含系统日志封装的完整行:
^(?P\S+\s+\S+\s+\S+|\S+T\S+Z)\s+(?P\S+)\s+:\s+%ASA-(?P\d)-(?Pid>\d{6}):\s+(?Ptext>.+)$
指南
- - 始终首先提取消息ID——它唯一标识事件类型
- 立即检查严重级别:级别 1-3 表示需要关注的严重/错误状况;6-7 为常规信息
- 在查找详细信息之前,使用消息ID的前3位识别功能区域
- ASA 日志是接口感知的——始终注意事件发生在哪个接口(内部、外部、DMZ),因为它提供了基本的网络方向上下文
- 关注成对消息:ASA 经常发出建立/拆除对(例如,302013 已建立 + 302014 已拆除),共同描述连接的完整生命周期
- 有关每个消息ID的详细定义(消息文本模板、变量含义、建议操作),请查阅下面索引的参考文件
参考文件
每个消息ID的详细文档保存在按范围组织的单独文件中,与 Cisco 官方文档结构匹配:
| 文件 | 消息ID范围 |
|---|
| references/Syslog Messages 101001 to 199027.md | 101001 - 199027 |
| references/Syslog Messages 201002 to 219002.md |
201002 - 219002 |
| references/Syslog Messages 302003 to 342008.md | 302003 - 342008 |
| references/Syslog Messages 400000 to 450002.md | 400000 - 450002 |
| references/Syslog Messages 500001 to 520025.md | 500001 - 520025 |
| references/Syslog Messages 602101 to 622102.md | 602101 - 622102 |
| references/Syslog Messages 701001 to 714011.md | 701001 - 714011 |
| references/Syslog Messages 715001 to 721019.md | 715001 - 721019 |
| references/Syslog Messages 722001 to 776020.md | 722001 - 776020 |
| references/Syslog Messages 776201 to 833333.md | 776201 - 833333 |
关于严重级别,请参考 references/Messages Listed by Severity Level.md
关于 Cisco ASA 系统日志消息的总体信息,请参考 references/About Cisco Secure Firewall ASA.md
官方 Cisco 来源:https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog.html
