1 Reply Latest reply on Nov 15, 2013 3:06 PM by rth67

    ASA Firewall Logs Events (modify, change..etc) for SIEM

    blackinux

      Hi,

       

      looking for a list of event ids for ASA Firewall, so i can create alarms and reports in the SIEM. Thanks. 

        • 1. Re: ASA Firewall Logs Events (modify, change..etc) for SIEM
          rth67

          You can start with this:

          http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.h tml

           

          The Cisco ASA has a Device Type ID of 278 in the McAfee SIEM, so when looking at events, the SigID's you would use would be 278-113005 for example

           

          From the Cisco document linked to above -

          113005

          Error Message
          %ASA-6-113005: AAA user authentication Rejected: reason = string:
          server = server_IP_address, User = user

          Explanation
          An authentication or authorization request for a user associated with an IPsec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. The server_IP_address is the IP address of the relevant AAA server. The user is the username associated with the connection. The aaa_operation is either authentication or authorization.

           

          Message was edited by: rth67 on 11/15/13 3:06:51 PM CST