Mapping changes in Cisco ASA firewall parser
This document describes the changes made in the Cisco ASA default parser on 2022-09-28.
The Cisco ASA default parser update on 2022-09-28, contains the following changes:
- Uses the logs as defined in the official Cisco documentation.
- Uses the log version 9.16.
Because of these changes, the log formats of some events might be different. For example,
in Cisco ASA software version 9.16, event 713061 includes the source_address
and dest_address log fields. The Cisco ASA default parser
parses these fields. In other Cisco ASA software versions, event 713061 includes the
following log fields: local_proxy_addr, remote_proxy_addr, action, and src_tunnel_group.
The previous parser version, parses these alternate fields.
The following table lists the field mapping changes between the Cisco ASA default parser updated on 2022-09-28 and prior versions. The field names that appear in the following table are field names that appear in the default parser version 2022-09-28. If a corresponding field name is not available, the table lists the field name used in the previous version of the parser.
| Message IDs | Fields | Mapping in previous parser version | Mapping in default parser version 2022-09-28 |
|---|---|---|---|
| 106014 | src_fwuser | principal.user.userid | None |
| dst_fwuser | target.user.userid | None | |
| 106020 | bytes | network.sent_bytes | network.received_bytes |
| 106016 | protocol | network.ip_protocol | None |
| 106017 | protocol | network.ip_protocol | None |
| 106023 | src_fwuser | principal.user.userid | None |
| dst_fwuser | target.user.userid | None | |
| 106100 | src_fwuser | principal.user.userid | None |
| dst_fwuser | target.user.userid | None | |
| 106102 | src_fwuser | principal.user.userid | None |
| dst_fwuser | target.user.userid | None | |
| 111008 | src_fwuser | principal.user.userid | target.user.userid |
| 111009 | src_fwuser | principal.user.userid | target.user.userid |
| 113008 | action | security_result.action | None |
| 113005 | src_ip | target.ip | principal.ip |
| dst_ip | principal.ip | target.ip | |
| 113010 | src_ip | target.ip | principal.ip |
| 113022 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| 113039 | dst_ip | principal.ip | target.ip |
| 302013 | duration | network.session_duration | None |
| bytes | network.sent_bytes | None | |
| 302014 | duration | network.session_duration | None |
| bytes | network.sent_bytes | None | |
| 302015 | duration | network.session_duration | None |
| bytes | network.sent_bytes | None | |
| 302016 | duration | network.session_duration | None |
| bytes | network.sent_bytes | None | |
| metadata.event_type is set to "NETWORK_CONNECTION" | metadata.event_type is set to "GENERIC_EVENT" | ||
| 302023, 302024, 302025 | summary | security_result.action_details | security_result.summary |
| 303002 | action | security_result.action | None |
| filename | target.file.full_path | about.labels.key/value | |
| user_name | principal.user.userid | target.user.userid | |
| 304001 | idfw_user | principal.user.userid | about.labels.key/value |
| 313008 | protocol | network.ip_protocol | None |
| 313005 | action | security_result.action | None |
| 313009 | user | target.user.userid | about.labels.key/value |
| 400051 | metadata.event_type is set to "NETWORK_CONNECTION" | metadata.event_type is set to "GENERIC_EVENT" | |
| 401004 | action | security_result.action | None |
| src_ip | target.ip | principal.ip | |
| src_ip (An additional "src_ip" field that exists only in the default parser.) | principal.ip | None | |
| 410001 | action_details | security_result.action_details | None |
| bytes | network.sent_bytes | None | |
| 412001 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| 414001 | protocol | network.ip_protocol | None |
| src_file_full_path | target.file.full_path | src.file.full_path | |
| src_ip | target.ip | principal.ip | |
| metadata.event_type is set to "GENERIC_EVENT" | metadata.event_type is set to "STATUS_UPDATE" | ||
| 419002 | protocol | network.ip_protocol | None |
| metadata.event_type is set to "NETWORK_CONNECTION" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | ||
| 500004 | action | security_result.action | None |
| metadata.event_type is set to "NETWORK_CONNECTION" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | ||
| 602303, 602304 | action_details | security_result.action | security_result.action_details |
| 605004, 605005 | reason | security_result.summary | None |
| target_service | network.application_protocol | target.application | |
| dst_port | principal.port | None | |
| 607001 | protocol | network.ip_protocol | None |
| 611101, 611102 | reason | security_result.summary | None |
| 710002 | action | security_result.action | None |
| application_protocol | network.application_protocol | None | |
| 710003 | action | security_result.action | None |
| application_protocol | network.application_protocol | None | |
| 710005 | action | security_result.action | None |
| application_protocol | network.application_protocol | None | |
| 710006 | action | security_result.action | None |
| application_protocol | network.application_protocol | None | |
| 710007 | application_protocol | network.application_protocol | None |
| 713024 | src_ip | target.ip | principal.ip |
| dst_ip | principal.ip | target.ip | |
| 713025 | src_ip | target.ip | principal.ip |
| dst_ip | principal.ip | target.ip | |
| dst_tunnel_group | target.user.group_identifiers | None | |
| 713034 | dst_tunnel_group | target.user.group_identifiers | None |
| dst_ip | principal.ip | target.ip | |
| dst_ip (An additional "dst_ip" field that exists only in the default parser.) | target.ip | None | |
| 713035 | dst_ip1 | principal.ip | target.ip |
| metadata.event_type is set to "NETWORK_CONNECTION" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | ||
| 713041 | dst_tunnel_group | target.user.group_identifiers | None |
| src_ip | principal.ip | None | |
| 713049 | dst_ip | principal.ip | target.ip |
| metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | ||
| 713050 | src_tunnel_group | principal.user.group_identifiers | None |
| src_ip | principal.ip | None | |
| action | security_result.action | None | |
| reason | security_result.summary | None | |
| 713066 | src_tunnel_group | principal.user.group_identifiers | None |
| src_ip | principal.ip | None | |
| metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | ||
| 713061 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| local_proxy_addr | principal.ip | None | |
| remote_proxy_addr | target.ip | None | |
| action | security_result.action | None | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 713068 | src_tunnel_group | principal.user.group_identifiers | None |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | ||
| 713121 | src_ip | principal.ip | None |
| 713122 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| dst_ip | principal.ip | target.ip | |
| 713130 | dst_tunnel_group | target.user.group_identifiers | None |
| dst_fwuser | target.user.userid | None | |
| dst_ip | target.ip | None | |
| 713172 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 713184 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| dst_tunnel_group | target.user.group_identifiers | None | |
| dst_fwuser | target.user.userid | None | |
| src_ip | principal.ip | None | |
| 713187 | metadata.event_type is set to "NETWORK_CONNECTION" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| action | security_result.action | None | |
| 713202 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| dst_ip | principal.ip | target.ip | |
| 713221 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 713222 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 713224 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 713225 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| group_name | principal.user.group_identifiers | target.user.group_identifiers | |
| dst_ip | principal.ip | target.ip | |
| 713228 | |||
| group_name | principal.user.group_identifiers | target.user.group_identifiers | |
| user_name | principal.user.userid | target.user.userid | |
| dst_ip | principal.ip | target.ip | |
| 713235 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 713257 | metadata.event_type is set to "GENERIC_EVENT" | metadata.event_type is set to "STATUS_UPDATE" | |
| 713259 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| group_name | principal.user.group_identifiers | target.user.group_identifiers | |
| user_name | principal.user.userid | target.user.userid | |
| dst_ip | principal.ip | target.ip | |
| 713273 | src_tunnel_group | principal.user.group_identifiers | None |
| src_ip | principal.ip | None | |
| src_fwuser | principal.user.userid | None | |
| reason | security_result.summary | None | |
| 713236 | metadata.event_type is set to "GENERIC_EVENT" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 713903, 713904 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 713073, 713074, 713075, 713076 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| group_name | principal.user.group_identifiers | target.user.group_identifiers | |
| src_fwuser | principal.user.userid | None | |
| dst_ip | principal.ip | target.ip | |
| 713119 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| group_name | principal.user.group_identifiers | target.user.group_identifiers | |
| src_fwuser | principal.user.userid | None | |
| dst_ip | principal.ip | target.ip | |
| 713120 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| src_fwuser | principal.user.userid | None | |
| 746016 | hostname | dns.questions.name | None |
| 746016 | action | security_result.action | None |
| 746016 | metadata.event_type is set to "NETWORK_DNS" | metadata.event_type is set to "STATUS_UPDATE" | |
| 746016 | network.application_protocol is set to "DNS" | network.application_protocol not set | |
| 734003 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| 734001 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| 725013 | cipher_name | network.tls.cipher is set to "%{cipher}" | |
| 725007 | action | security_result.action | None |
| 725006 | action | security_result.action | None |
| protocol | network.ip_protocol | None | |
| 722055 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| reason | security_result.summary | None | |
| 722051 | reason | security_result.summary | None |
| 722041 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| 722037 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| 722036 | received_bytes | network.sent_bytes | network.received_bytes |
| metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | ||
| reason | security_result.summary | None | |
| 722034 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| protocol | network.ip_protocol | None | |
| 722033 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| protocol | network.ip_protocol | None | |
| 722032 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| protocol | network.ip_protocol | None | |
| 722030 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| received_bytes | network.sent_bytes | network.received_bytes | |
| 722031 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| received_bytes | network.sent_bytes | network.received_bytes | |
| 722029 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| reason | security_result.summary | None | |
| 722022 | reason | security_result.summary | None |
| 722023 | protocol | network.ip_protocol | None |
| 721018 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| dst_ip | principal.ip | target.ip | |
| user_name | principal.user.userid | target.user.userid | |
| 721016 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | |
| dst_ip | principal.ip | target.ip | |
| user_name | principal.user.userid | target.user.userid | |
| 717055 | metadata.event_type is set to "GENERIC_EVENT" | metadata.event_type is set to "STATUS_UPDATE" | |
| trustpoint_name | "event.idm.read_only_udm.network.tls.server.certificate.version" is set to "%{cert_id}" | about.labels | |
| serial_number | "event.idm.read_only_udm.network.tls.server.certificate.serial" is set to "%{serial_number}" | about.labels | |
| subject_name | "event.idm.read_only_udm.network.tls.server.certificate.subject" is set to "%{subject}" | about.labels | |
| issuer | "event.idm.read_only_udm.network.tls.server.certificate.issuer" is set to "%{issuer_name}" | about.labels | |
| 716059 | group_name | principal.user.group_identifiers | target.user.group_identifiers |
| user_name | principal.user.userid | target.user.userid | |
| dst_ip | principal.ip | target.ip | |
| metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | ||
| 716039 | action | security_result.action | None |
| reason | security_result.summary | None | |
| 716002 | action | security_result.action | None |
| reason | security_result.summary | None | |
| 713905 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 714011 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715001 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715065 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715080 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715076 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715049 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715048 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715047 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715038 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "GENERIC_EVENT" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| reason | security_result.summary | None | |
| 715075 | dst_ip | principal.ip | target.ip |
| group_name | principal.user.group_identifier | target.user.group_identifier | |
| 715036 | src_tunnel_group | principal.user.group_identifiers | None |
| src_ip | principal.ip | None | |
| 715028 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "GENERIC_EVENT" | |
| dst_ip | principal.ip | target.ip | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| 715027 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "GENERIC_EVENT" | |
| dst_ip | principal.ip | target.ip | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| 715009 | metadata.event_type is set to "NETWORK_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| 715027 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "GENERIC_EVENT" | |
| dst_ip | principal.ip | target.ip | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| 714004 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 714005 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 714006 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 714002 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| 714003 | metadata.event_type is set to "STATUS_UNCATEGORIZED" | metadata.event_type is set to "STATUS_UPDATE" | |
| src_tunnel_group | principal.user.group_identifiers | None | |
| src_ip | principal.ip | None | |
| Common | sysloghost |
If [cisco_message_number] in ["113022", "113023", "304006"] sysloghost" is set to "principal.hostname" If [cisco_message_number] in ["313001", "611101", "611102"] sysloghost is set to dst.ip If [cisco_message_number] in ["746014", "746015", "746016"] sysloghost is set to "src_ip" In all other cases, sysloghost is mapped to intermediary.hostname. |
If the log does not contain source IP/hostname and the syslog header contains IP/hostname then the syslog header IP/hostname is mapped with the intermediary.IP/hostname and principal.hostname. In all other cases, sysloghost is mapped only with intermediary.ip/hostname. |