Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-cisco-asa/generator.yml \
--id asa \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| 302013 | TCP Built | ~25% | connection |
| 302014 | TCP Teardown | ~24% | connection |
| 302015 | UDP Built | ~8% | connection |
| 302016 | UDP Teardown | ~8% | connection |
| 302020 | ICMP Built | ~2% | connection |
| 302021 | ICMP Teardown | ~2% | connection |
| 106100 | ACL Hit | ~13% | firewall |
| 106023 | ACL Deny | ~7% | firewall |
| 305011 | NAT Built | ~3% | nat |
| 305012 | NAT Teardown | ~3% | nat |
| 113xxx | Authentication | ~3% | auth |
| 722xxx | VPN | ~3% | vpn |
| 725xxx | SSL | ~2% | ssl |
| 199xxx | System | ~1% | system |
Realism Features
- Correlated connection pairs — built events push to shared state; teardown events consume with matching connection IDs
- NAT correlation — NAT built/teardown events use shared state for consistent address mapping
- VPN session tracking — connect events store sessions consumed by disconnect events
- ASA-specific message format — event.original contains the full syslog line matching real ASA output
- TCP teardown reasons — weighted distribution of FINs (50%), Reset-I (15%), Reset-O (10%), Idle Timeout (20%)
Sample Output
{
"@timestamp": "2026-02-21T14:30:15.000000+00:00",
"cisco": {
"asa": {
"connection_id": "100042",
"destination_interface": "outside",
"message_id": "302013",
"source_interface": "inside"
}
},
"event": {
"action": "flow-creation",
"category": ["network"],
"code": "302013",
"original": "%ASA-6-302013: Built outbound TCP connection 100042 for inside:10.1.1.30/52847 to outside:93.184.216.34/443",
"outcome": "success"
},
"network": {
"direction": "outbound",
"transport": "tcp"
},
"observer": {
"hostname": "ASA-FW-01",
"product": "asa",
"type": "firewall",
"vendor": "Cisco"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | ASA-FW-01 | ASA device hostname |
| domain | example.com | Domain name |
| nat_ip | 198.51.100.1 | Public NAT IP for outbound connections |
| agent_id | a3b7e2c1-... | Elastic Agent ID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.
Network DNS Traffic
Passive DNS transaction logs — query/response pairs for A, AAAA, CNAME, MX, TXT, PTR, SRV, SOA, NS, and DNSKEY records. Mixed internal/external resolvers with NXDOMAIN, SERVFAIL, and REFUSED errors.