69-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
Router messages
On Cisco IOS routers, syslog messages are also generated for access rules. The first packet that triggers
the access list causes an immediate logging message, and subsequent packets are collected over
five-minute intervals before they are displayed or logged. Each logging message includes the access list
number, whether the packet was permitted or denied, the source IP address of the packet, and the number
of packets from that source permitted or denied in the prior five-minute interval.
The following IOS syslog message IDs are supported for Security Manager-to-CS-MARS queries.
Note If an excessive number of syslog messages are being generated and reported to CS-MARS, use the
Advanced and Edit Options Dialog Boxes, page 16-15 to change the logging level for those access rules
that are producing the largest number of messages. You can also look at changing the logging policies
on the device to limit the types of messages generated.
NetFlow Event Reporting in CS-MARS
Event reporting in CS-MARS can include NetFlow events from an ASA 8.1+ device.
NetFlow Security Event Logging uses NetFlow version 9 fields and templates to efficiently deliver
security telemetry in high-performance environments. NetFlow Security Event Logging scales better
than syslog messaging, while offering the same level of detail and granularity in logged events. The ASA
NetFlow implementation exports only significant events in the life of a flow, rather than exporting data
about flows at regular intervals. The following flow events are exported:
Flow creation
Flow tear-d own
Flows denied by an access rule
The ASA also exports syslog messages that contain the same information. If you enable NetFlow on a
device, you can consider disabling the equivalent syslog messages. Disabling equivalent syslog
messages can help avoid the potential performance degradation caused by generating and processing
both NetFlow records and syslog messages representing the same event. The following table lists syslog
302014 A TCP connection between two hosts was torn down.
302015 A UDP connection between two hosts was created.
302016 A UDP connection between two hosts was torn down.
302020 A ICMP connection between two hosts was created.
302021 A ICMP connection between two hosts was torn down.
%SEC-6-IPACCESSLOGP A packet matching the log criteria for the given access list was detected:
TCP and UDP.
%SEC-6-IPACCESSLOGS A packet matching the log criteria for the given access list was detected:
IP address.
%SEC-6-IPACCESSLOGDP A packet matching the log criteria for the given access list was detected:
ICMP.
%SEC-6-IPACCESSLOGNP A packet matching the log criteria for the given access list was detected:
all other IPv4 protocols.