CHAPT ER
78-1
Cisco ASA 5500 Series Configuration Guide using the CLI
78
Configuring NetFlow Secure Event Logging (NSEL)
This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow
Version 9 technology, and how to handle events and syslog messages through NSEL.
This chapter includes the following sections:
Information About NSEL, page78-1
Licensing Requirements for NSEL, page78-3
Prerequisites for NSEL, page 78-3
Guidelines and Limitations, page78-4
Configuring NSEL, page78-4
Monitoring NSEL, page 78-10
Configuration Examples for NSEL, page78-12
Where to Go Next, page78-13
Additional References, page78-13
Feature History for NSEL, page 78-14

Information About NSEL

The ASA and ASASM support NetFlow Version 9 services. For more information about NetFlow
services, see the “RFCs” section on page 78-14.
The ASA and ASASM implementations of NSEL provide a stateful, IP flow tracking method that exports
records that indicate significant events in a flow. In stateful flow tracking, tracked flows go through a
series of state changes. NSEL events are used to export data about flow status and are triggered by the
event that caused the state change.
The significant events that are tracked include flow-create, flow-teardown, flow-denied (excluding those
flows that are denied by EtherType ACLs), and flow-update. In addition, the ASA and ASASM
implementation of NSEL generates periodic NSEL events and flow-update events to provide periodic
byte counters over the duration of the flow. These events are usually time-driven, which makes them
more in line with traditional Netflow; however, these events may also be triggered by state changes in
the flow.
Each NSEL record has an event ID and an extended event ID field, which describes the flow event.
The ASA and ASASM implementations of NSEL provide the following major functions: