Cisco Cisco ASA 5585-X with No Payload Encryption
2
Cisco ASA NetFlow Implementation Guide
About NSEL
Syslog Messages and NSEL Events
lists the syslog messages that have an equivalent NSEL event, event ID, and extended event ID.
The extended event ID provides more detail about the event (for example, which ACL—ingress or
egress—has denied a flow).
egress—has denied a flow).
Note
Enabling NetFlow to export flow information makes the syslog messages that are listed in
redundant. For better performance, we recommend that you disable redundant syslog messages, because
the same information is exported through NetFlow. You can enable or disable individual syslog messages
by following the procedure in
the same information is exported through NetFlow. You can enable or disable individual syslog messages
by following the procedure in
Note
When NSEL and syslog messages are both enabled, there is no guarantee of chronological ordering
between the two logging types.
between the two logging types.
Table 1
Syslog Messages and Equivalent NSEL Events
Syslog Message
Description
NSEL Event ID
NSEL Extended Event ID
106100
Generated whenever an ACL is
encountered.
encountered.
1—Flow was created (if the
ACL allowed the flow).
ACL allowed the flow).
3—Flow was denied (if the
ACL denied the flow).
ACL denied the flow).
0—If the ACL allowed the flow.
1001—Flow was denied by the
ingress ACL.
ingress ACL.
1002—Flow was denied by the
egress ACL.
egress ACL.
106015
A TCP flow was denied because
the first packet was not a SYN
packet.
the first packet was not a SYN
packet.
3—Flow was denied.
1004—Flow was denied because
the first packet was not a TCP
SYN packet.
the first packet was not a TCP
SYN packet.
106023
When a flow was denied by an
ACL attached to an interface
through the access-group
command.
ACL attached to an interface
through the access-group
command.
3—Flow was denied.
1001—Flow was denied by the
ingress ACL.
ingress ACL.
1002—Flow was denied by the
egress ACL.
egress ACL.
302013, 302015,
302017, 302020
302017, 302020
TCP, UDP, GRE, and ICMP
connection creation.
connection creation.
1—Flow was created.
0—Ignore.
302014, 302016,
302018, 302021
302018, 302021
TCP, UDP, GRE, and ICMP
connection teardown.
connection teardown.
2—Flow was deleted.
0—Ignore.
> 2000—Flow was torn down.
313001
An ICMP packet to the device
was denied.
was denied.
3—Flow was denied.
1003—To-the-box flow was
denied because of configuration.
denied because of configuration.
313008
An ICMP v6 packet to the device
was denied.
was denied.
3—Flow was denied.
1003—To-the-box flow was
denied because of configuration.
denied because of configuration.
710003
An attempt to connect to the
device interface was denied.
device interface was denied.
3—Flow was denied.
1003—To-the-box flow was
denied because of configuration.
denied because of configuration.