Cisco Cisco ASA 5585-X with No Payload Encryption

Cisco Systems, Inc.
www.cisco.com

This guide describes how to configure NetFlow Secure Event Logging (NSEL), how to handle events 
and syslog messages through NSEL, and how to use NetFlow collectors.

The Cisco ASA supports NetFlow Version 9 services. The ASA and ASASM implementations of NSEL 
provide a stateful, IP flow tracking method that exports only those records that indicate significant events 
in a flow. In stateful flow tracking, tracked flows go through a series of state changes. NSEL events are 
used to export data about flow status and are triggered by the event that caused the state change. 

The significant events that are tracked include flow-create, flow-teardown, flow-denied (excluding those 
flows that are denied by EtherType ACLs), and flow-update. The ASA implementation of NSEL 
generates periodic NSEL events, called flow-update events, to provide periodic byte counters over the 
duration of the flow. These events are usually time-driven, which makes them more in line with 
traditional NetFlow; however, they may also be triggered by state changes in the flow. 

The flow-update event is not available in Version 9.0(1). It is available in Versions 8.4(5), and 9.1(2) and 
later.

The ASA also exports syslog messages that include the same information. You can disable these syslog 
messages to avoid performance degradation by generating both NSEL records and syslog messages that 
represent the same event. 

Each NSEL record has an event ID and an extended event ID field, which describes the flow event.