<span class="pill kill-chain">Cisco_ASA_action</span>
<span class="pill kill-chain">Cisco_ASA_message_id</span>
<span class="pill kill-chain">Cisco_ASA_user</span>
<span class="pill kill-chain">Cisco_ASA_vendor_action</span>
<span class="pill kill-chain">IP</span>
<span class="pill kill-chain">Username</span>
<span class="pill kill-chain">_bkt</span>
<span class="pill kill-chain">_cd</span>
<span class="pill kill-chain">_eventtype_color</span>
<span class="pill kill-chain">_indextime</span>
<span class="pill kill-chain">_raw</span>
<span class="pill kill-chain">_serial</span>
<span class="pill kill-chain">_si</span>
<span class="pill kill-chain">_sourcetype</span>
<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">acl</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">assigned_ip</span>
<span class="pill kill-chain">bytes</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">communication_protocol</span>
<span class="pill kill-chain">connections_in_use</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_host</span>
<span class="pill kill-chain">dest_interface</span>
<span class="pill kill-chain">dest_ip</span>
<span class="pill kill-chain">dest_nt_domain</span>
<span class="pill kill-chain">dest_port</span>
<span class="pill kill-chain">dest_public_port</span>
<span class="pill kill-chain">dest_translated_host</span>
<span class="pill kill-chain">dest_translated_ip</span>
<span class="pill kill-chain">dest_translated_port</span>
<span class="pill kill-chain">dest_user</span>
<span class="pill kill-chain">dest_zone</span>
<span class="pill kill-chain">direction</span>
<span class="pill kill-chain">duration</span>
<span class="pill kill-chain">duration_day</span>
<span class="pill kill-chain">duration_hour</span>
<span class="pill kill-chain">duration_minute</span>
<span class="pill kill-chain">duration_second</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">group</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">ids_type</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">laction</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">most_used_connections</span>
<span class="pill kill-chain">object</span>
<span class="pill kill-chain">object_attrs</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">object_id</span>
<span class="pill kill-chain">product</span>
<span class="pill kill-chain">protocol</span>
<span class="pill kill-chain">protocol_version</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">reason</span>
<span class="pill kill-chain">result</span>
<span class="pill kill-chain">rule</span>
<span class="pill kill-chain">rule_name</span>
<span class="pill kill-chain">session_id</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_host</span>
<span class="pill kill-chain">src_interface</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_nt_domain</span>
<span class="pill kill-chain">src_port</span>
<span class="pill kill-chain">src_public_port</span>
<span class="pill kill-chain">src_translated_host</span>
<span class="pill kill-chain">src_translated_ip</span>
<span class="pill kill-chain">src_translated_port</span>
<span class="pill kill-chain">src_user</span>
<span class="pill kill-chain">src_zone</span>
<span class="pill kill-chain">ssl_is_valid</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tag::object_category</span>
<span class="pill kill-chain">teardown_initiator</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">transport</span>
<span class="pill kill-chain">type</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">vendor</span>
<span class="pill kill-chain">vendor_action</span>
<span class="pill kill-chain">vendor_product</span>
<span class="pill kill-chain">vendor_severity</span>
<span class="pill kill-chain">zone</span>
</div>
Data Source: Cisco ASA Logs
Description
Data source object for Cisco ASA system logs. Cisco ASA logs provide firewall operational and security telemetry (connection events, ACL denies, VPN events, NAT translations, and device health). Deploy the Splunk Add-on for Cisco ASA (TA-cisco_asa) on indexers/heavy forwarders and the Cisco ASA App on search heads for best parsing, CIM mapping, and dashboards. This data is ingested via SYSLOG. You must be ingesting Cisco ASA syslog data into your Splunk environment. To ensure all detections work, configure your ASA and FTD devices to generate and forward both debug and informational level syslog messages before they are sent to Splunk. A few analytics are designed to be used with comprehensive logging enabled, as it relies on the presence of specific message IDs. You can find specific instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880.
Details
| Property | Value |
|---|---|
| Source | cisco:asa |
| Sourcetype | cisco:asa |
Supported Apps
- Cisco Security Cloud (version 3.4.1)
Event Fields
Fields
Example Log
1Sep 23 19:27:50 18.144.133.67 :2025-09-23T19:27:49Z: %ASA-session-7-609002: Teardown local-host management:54.245.234.201 duration 0:02:01 Sep 23 18:07:00 18.144.133.67 :2025-09-23T18:07:00Z: %ASA-session-7-710005: TCP request discarded from 198.27.166.158/55508 to management:172.31.12.229/443
Source: GitHub | Version: 1