ClawHub

cisco-asa-syslog

v1.0.0

Parse, interpret, and analyze Cisco ASA (Adaptive Security Appliance) firewall syslog messages. Use this skill whenever working with Cisco ASA log files, sys...

0· 296·0 current·0 all-time
byGang Tao@gangtao
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match contents: the SKILL.md and large reference docs are focused on ASA syslog format, message IDs, severity, and parsing guidance. Nothing requested (env vars, binaries, installs) is out of scope.
Instruction Scope
Runtime instructions provide parsing rules, regexes, severity handling, and interpretation guidance. The instructions do not direct reading unrelated system files, exfiltrating data, contacting external endpoints, or accessing secrets.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk/write/execute risk and matches the declared metadata.
Credentials
The skill requires no environment variables, credentials, or config paths. That is proportionate for a log-parsing guidance skill.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request elevated or persistent system presence or modify other skills/configuration.
Assessment
This skill appears to only provide offline guidance and reference material for parsing Cisco ASA syslog messages and does not request credentials or install code. Before using it on sensitive logs, consider that any logs you paste into the agent may contain IPs, usernames, or other sensitive data; avoid pasting credentials or full packet captures. If you plan to integrate this guidance into automation that processes live logs, verify that automation does not send logs to third-party endpoints and that the agent's environment enforces data handling policies.

Like a lobster shell, security has layers — review code before you run it.

latestvk977368zzf9z44v77hr2em2195828v1e
296downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Gang Tao@gangtao
latest
Download

Cisco ASA Syslog Analysis

This skill teaches you how to read, parse, and interpret log messages generated by Cisco ASA firewalls. All ASA logs are delivered via the syslog protocol, so understanding syslog is foundational before working with ASA-specific content.

Part 1: Syslog Protocol Foundation

All Cisco ASA log messages are transported and formatted using the syslog standard (RFC 3164 / RFC 5424). You must understand syslog before interpreting ASA messages.

Severity Levels

Every syslog message carries a numeric severity (0 = most critical, 7 = least critical):

LevelKeywordMeaning
0EmergencySystem is unusable
1AlertImmediate action required
2CriticalCritical conditions
3ErrorError conditions
4WarningWarning conditions
5NoticeNormal but significant events
6InformationalRoutine informational messages
7DebugVerbose diagnostic output

Facility Codes

Facility codes indicate the source subsystem (0-23). Cisco ASA uses local4 (code 20) by default, but this is configurable on the device.

PRI Value

The PRI header encodes both facility and severity:

PRI = (Facility x 8) + Severity

Example: local4 (20) + Informational (6) -> (20 x 8) + 6 = 166, shown as <166> in the log header. This is the most common PRI value seen in ASA logs.

RFC 3164 Format (Traditional)

<PRI>TIMESTAMP HOSTNAME TAG: MESSAGE

Example: <166>Jan 15 10:22:01 fw01 : %ASA-6-302013: Built outbound TCP connection...

RFC 5424 Format (ASA 9.10+)

Enabled via "logging timestamp rfc5424". Uses ISO 8601 UTC timestamps:

<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA MSG

Example: <166>1 2018-06-27T12:17:46Z asa - - - %ASA-6-110002: Failed to locate egress interface...

Part 2: Cisco ASA Log Format

Core Message Structure

Every ASA event message follows this pattern, regardless of syslog envelope:

%ASA-severity-message_id: message_text

FieldDescription
%ASAFixed literal prefix on all ASA messages
severitySingle digit 0-7 matching syslog severity levels above
message_id6-digit numeric ID uniquely identifying the event type
message_textHuman-readable description with variable substitutions

Full Log Line with Syslog Envelope

<PRI> TIMESTAMP HOSTNAME : %ASA-severity-message_id: message_text

Real example (RFC 3164): <166>Jan 15 10:22:01 fw01 : %ASA-6-302013: Built outbound TCP connection 12345 for outside:203.0.113.1/443 (203.0.113.1/443) to inside:192.168.1.100/54321 (192.168.1.100/54321)

Real example (RFC 5424): <166>1 2024-01-15T10:22:01Z fw01 - - - %ASA-6-302013: Built outbound TCP connection...

Message ID Numbering and Categories

The 6-digit message ID encodes the functional category in its first 3 digits:

RangeCategory
1xxxxxSystem, interfaces, failover, hardware
2xxxxxVPN failover, high availability
3xxxxxFirewall, connection tracking, NAT
4xxxxxSecurity, IPS, ACL, threat detection
5xxxxxUser authentication, identity
6xxxxxVPN crypto, IPSec, SSL, remote access
7xxxxxApplication inspection, protocol handling
8xxxxxManagement, platform, clustering

Common Variable Tokens

ASA message text uses descriptive named placeholders:

TokenMeaning
interface_nameASA interface (e.g., inside, outside)
src_ip/portSource IP and port
dst_ip/portDestination IP and port
protocolIP protocol (TCP, UDP, ICMP, etc.)
conn_idUnique connection tracking number
directioninbound or outbound
reasonCause of event (e.g., SYN Timeout, FIN)
usernameAuthenticated user identity
groupVPN tunnel group or policy name
access_listName of the ACL that matched
actionpermit or deny

Parsing Regex

Extract the core ASA fields from any log line:

%ASA-(?P<severity>\d)-(?P<message_id>\d{6}):\s+(?P<message_text>.+)

Full line including syslog envelope:

^(?P<timestamp>\S+\s+\S+\s+\S+|\S+T\S+Z)\s+(?P<hostname>\S+)\s+:\s+%ASA-(?P<severity>\d)-(?P<message_id>\d{6}):\s+(?P<message_text>.+)$

Guidelines

  • Always extract the message_id first -- it uniquely identifies the event type
  • Check severity immediately: levels 1-3 indicate critical/error conditions requiring attention; 6-7 are routine
  • Use the first 3 digits of the message_id to identify the functional area before looking up details
  • ASA logs are interface-aware -- always note which interface (inside, outside, dmz) events occur on, as it provides essential network direction context
  • Watch for paired messages: ASA often emits build/teardown pairs (e.g., 302013 "Built" + 302014 "Teardown") that together describe the full lifecycle of a connection
  • For detailed per-message-ID definitions (message text templates, variable meanings, recommended actions), consult the reference files indexed below

Reference Files

Detailed documentation for each message ID is maintained in separate files organized by range, matching Cisco's official documentation structure:

FileMessage ID Range
references/Syslog Messages 101001 to 199027.md101001 - 199027
references/Syslog Messages 201002 to 219002.md201002 - 219002
references/Syslog Messages 302003 to 342008.md302003 - 342008
references/Syslog Messages 400000 to 450002.md400000 - 450002
references/Syslog Messages 500001 to 520025.md500001 - 520025
references/Syslog Messages 602101 to 622102.md602101 - 622102
references/Syslog Messages 701001 to 714011.md701001 - 714011
references/Syslog Messages 715001 to 721019.md715001 - 721019
references/Syslog Messages 722001 to 776020.md722001 - 776020
references/Syslog Messages 776201 to 833333.md776201 - 833333

For serverity levels, refer to references/Messages Listed by Severity Level.md

For overall information of Cisco ASA syslog messages, refer to references/About Cisco Secure Firewall ASA.md

Official Cisco source: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog.html

Comments

Loading comments...