72-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 72 Configuring NetFlow Secure Event Logging (NSEL)
Information About NSEL
• Tracks configured NSEL collectors and delivers templates and data records to these configured
NSEL collectors through NetFlow over UDP only.
• Sends template information periodically to NSEL collectors. Collectors receive template
definitions, normally before receiving flow records.
• Filters NSEL events based on the traffic and event type through Modular Policy Framework, and
then sends records to different collectors. Traffic is matched based on the order in which classes are
configured. After a match is found, no other classes are checked. The supported event types are
flow-create, flow-denied, flow-teardown, and all. Records can be sent to different collectors. For
example, with two collectors, you can do the following:
–
Log all flow-denied events that match access-list 1 to collector 1.
–
Log all flow-create events to collector 1.
–
Log all flow-teardown events to collector 2.
• Delays the export of flow-create events.
Using NSEL and Syslog Messages
Table 72-1 lists the syslog messages that have an equivalent NSEL event, event ID, and extended event
ID. The extended event ID provides more detail about the event (for example, which ACL—ingress or
egress—has denied a flow).
Note Enabling NetFlow to export flow information makes the syslog messages that are listed in Table 72-1
redundant. In the interest of performance, we recommend that you disable redundant syslog messages,
because the same information is exported through NetFlow.
Table 72-1 Syslog Messages and Equivalent NSEL Events
Syslog Message Description NSEL Event ID NSEL Extended Event ID
106100 Generated whenever an ACL is
encountered.
1—Flow was created (if the
ACL allowed the flow).
3—Flow was denied (if the
ACL denied the flow).
0—If the ACL allowed the flow.
1001—Flow was denied by the
ingress ACL.
1002—Flow was denied by the
egress ACL.
106015 A TCP flow was denied because
the first packet was not a SYN
packet.
3—Flow was denied. 1004—Flow was denied because
the first packet was not a TCP
SYN packet.
106023 When a flow was denied by an
ACL attached to an interface
through the access-group
command.
3—Flow was denied. 1001—Flow was denied by the
ingress ACL.
1002—Flow was denied by the
egress ACL.
302013, 302015,
302017, 302020
TCP, UDP, GRE, and ICMP
connection creation.
1—Flow was created. 0—Ignore.
302014, 302016,
302018, 302021
TCP, UDP, GRE, and ICMP
connection teardown.
2—Flow was deleted. 0—Ignore.
> 2000—Flow was torn down.
To Next Page
Loading...
Need help?
General
