Cisco ASA Optimizer
The Cisco ASA Optimizer is a transform that filters out low-priority, high-volume Cisco ASA operational logs and applies intelligent sampling to high-frequency events, preserving security-critical events like threat detections and authentication failures to reduce storage and processing costs while maintaining visibility.
Purpose
This transform is designed to optimize Cisco ASA (Adaptive Security Appliance) logs by selectively filtering and sampling events based on their security relevance and volume characteristics. The transform group is composed of two sequential transforms, each playing a specific role in optimizing log storage and processing while maintaining critical security visibility.
How to Add Cisco ASA Optimization to a Pipeline
Follow these steps to apply Cisco ASA optimization to your pipeline using the built-in Observo templates:
Choose Your Pipeline Navigate to the list of pipelines and select the pipeline where you want to perform Cisco ASA optimization.
Edit the Pipeline Click on Edit Pipeline to open the pipeline configuration screen.
Add a Transform Inside the pipeline editor, click on Add Transform to begin modifying the pipeline.
Import a Template At the top of the transform selection window, click Import.
Choose Observo Templates In the import options, select Observo Templates.
Select the Cisco ASA Optimizer From the list of available templates, choose Cisco ASA Optimizer.
Transforms Added Automatically Once selected, two transforms will be added automatically to your pipeline. These transforms work together to perform Cisco ASA optimization.
Usage
The Cisco ASA Optimizer filters out low-priority, high-volume operational events and applies intelligent sampling to frequently occurring events, preserving security-relevant data like threat detections and authentication failures to reduce log volume while maintaining critical visibility.
Filter Cisco ASA Events
Purpose: Filter out low-priority and routine operational Cisco ASA events that provide minimal security value but generate significant log volume.
Behavior:
Drops events with specific ASA Event IDs that are considered noise or routine operations.
Focuses on removing connection establishment/teardown events, routine status messages, and non-security-relevant operational events.
Uses an OR combinator to match any of the specified low-priority Event IDs for removal.
Preserves all security-relevant events including threat detections, policy violations, and authentication failures.
Sample High Volume Events
Purpose: Apply intelligent sampling to high-volume events that have some operational value but occur too frequently for full retention.
Behavior:
Implements configurable sampling rates for specific high-volume Event IDs.
Maintains statistical visibility into event patterns while dramatically reducing volume.
Currently configured to sample events like connection statistics and routine operational messages.
Preserves event timing and distribution patterns through intelligent sampling.
Configuration Options
The Cisco ASA Optimizer uses an OR combinator to filter out 34 low-priority, high-volume Event IDs and applies configurable sampling rates to high-frequency events, allowing bypass options and additional filtering to reduce log volume while preserving critical security data.
Filter Cisco ASA Events
Filter Conditions:
Uses an OR combinator to match against specified low-priority Event IDs.
Currently configured to drop 34 specific Event IDs known to generate high volume with low security value.
Sample High Volume Events
General Configuration:
Bypass Transform: When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications. Default Value:
off(Disabled)Add Filter Conditions: When enabled, additional filtering can be added beyond sampling rules.
Sample Configuration:
Enabled: When disabled, the sample process will not be applied to the events matching this condition. Default Value:
on(Enabled)Conditions: Sampling is applied to events that meet the specified condition, while other events are allowed to pass through unaffected.
Sample Rate: Configurable sampling rates per Event ID or group of Event IDs.This defines the rate at which events will be forwarded, expressed as 1/N.
Key Field: Specifies a field to use for consistent sampling of related events. When set, events with the same value in this field will be either all kept or all dropped together.
Group By: Creates distinct sampling universes using the specified template. Each unique value created by the template will have its own independently applied sampling rate.
Cisco ASA Event IDs Included
Events Filtered (Dropped Completely)
106011
Appears under normal traffic conditions if there are internal users that are accessing the Internet; can be ignored
106013
Discarded an ICMP echo request
106015
Discarded a TCP packet that has no associated connection in the ASA connection table
199015
A variable syslog was generated by an assistive process
199016
A variable syslog was generated by an assistive process
199017
A variable syslog was generated by an assistive process
199018
A variable syslog was generated by an assistive process
302013
A TCP connection slot between two hosts was created
302014
A TCP connection between two hosts was deleted
302015
A UDP connection slot between two hosts was created
302020
An ICMP session was established in the fast-path when stateful ICMP was enabled using the inspect icmp command
302021
An ICMP session is removed in the fast-path when stateful ICMP is enabled using the inspect icmp command
302022
A TCP director/backup/forwarder flow has been created
302023
A TCP director/backup/forwarder flow has been torn down
302024
A UDP director/backup/forwarder flow has been created
302025
A UDP director/backup/forwarder flow has been torn down
302026
An ICMP director/backup/forwarder flow has been created
302027
An ICMP director/backup/forwarder flow has been torn down
305011
A TCP, UDP, or ICMP address translation slot was created
305012
The address translation slot was deleted
313001
Denied ICMP
313004
Denied ICMP
710005
Unknown UDP or TCP; or empty SNMP
722036
A large packet was sent to the client
725001
SSL handshake has started with the remote device, which can be a client or server
725002
SSL handshake has completed successfully with the remote device
725007
SSL session has terminated
725008
The number of ciphers proposed by the remote SSL device are listed
725009
The number of ciphers proposed to the SSL server are listed
725010
The number of ciphers supported by the ASA for an SSL session are listed
725011
Always following messages 725008, 725009 and 725010; this message indicates the cipher name and its order of preference
725012
The cipher that was chosen by the Cisco device for the SSL session is listed
725013
The cipher that was chosen by the server for the SSL session is identified
737001
The IP address assignment process received a message
737035
A message is queued to the IP address assignment. This corresponds with syslog 737001
Events Sampled (Reduced Volume)
106100
1% (every 100th event)
Verbose logging re: 106023 event activity
106023
1% (every 100th event)
A real IP packet was denied by the ACL
How This Optimizes Cisco ASA Logs
Elimination of Routine Operational Noise: Cisco ASA devices generate extensive logs for routine operations like connection builds/teardowns, interface status changes, and periodic health checks. These events rarely indicate security issues but consume significant storage and processing resources.
Intelligent High-Volume Event Management: Some ASA events provide operational value but occur at extremely high frequencies. Rather than completely dropping these events, sampling preserves statistical visibility while dramatically reducing volume.
Focus on Security-Relevant Events: By removing noise and reducing high-volume events, the optimizer ensures that security-critical events (threats, policy violations, authentication failures, etc.) receive proper attention and analysis.
Efficient Use of Resources: The optimization leads to significant savings in:
Storage costs (local disk, cloud storage)
Network bandwidth for log transmission
SIEM and analytics platform processing overhead
Query performance and analysis speed
Examples
Input Events
After Filter Cisco ASA Events
After Sample High Volume Events
Overall Recommendations
Filter Cisco ASA Events
Remove low-priority operational events
Eliminates noise and reduces log volume significantly
Sample High Volume Events
Intelligent sampling of high-frequency events
Reduces log size
In combination, these transforms deliver a targeted Cisco ASA log optimization solution that dramatically reduces log volume while preserving all security-relevant information. The optimization strategy is specifically designed around Cisco ASA's event taxonomy, ensuring that critical security events remain fully visible while operational noise is intelligently managed.
Last updated
Was this helpful?