Cisco ASA Optimizer
The Cisco ASA Optimizer is a transform that filters out low-priority, high-volume Cisco ASA operational logs and applies intelligent sampling to high-frequency events, preserving security-critical events like threat detections and authentication failures to reduce storage and processing costs while maintaining visibility.
Purpose
This transform is designed to optimize Cisco ASA (Adaptive Security Appliance) logs by selectively filtering and sampling events based on their security relevance and volume characteristics. The transform group is composed of two sequential transforms, each playing a specific role in optimizing log storage and processing while maintaining critical security visibility.
How to Add Cisco ASA Optimization to a Pipeline
Follow these steps to apply Cisco ASA optimization to your pipeline using the built-in Observo templates:
Choose Your Pipeline Navigate to the list of pipelines and select the pipeline where you want to perform Cisco ASA optimization.
Edit the Pipeline Click on Edit Pipeline to open the pipeline configuration screen.
Add a Transform Inside the pipeline editor, click on Add Transform to begin modifying the pipeline.
Import a Template At the top of the transform selection window, click Import.
Choose Observo Templates In the import options, select Observo Templates.
Select the Cisco ASA Optimizer From the list of available templates, choose Cisco ASA Optimizer.
Transforms Added Automatically Once selected, two transforms will be added automatically to your pipeline. These transforms work together to perform Cisco ASA optimization.
Usage
The Cisco ASA Optimizer filters out low-priority, high-volume operational events and applies intelligent sampling to frequently occurring events, preserving security-relevant data like threat detections and authentication failures to reduce log volume while maintaining critical visibility.
Filter Cisco ASA Events
Purpose: Filter out low-priority and routine operational Cisco ASA events that provide minimal security value but generate significant log volume.
Behavior:
Drops events with specific ASA Event IDs that are considered noise or routine operations.
Focuses on removing connection establishment/teardown events, routine status messages, and non-security-relevant operational events.
Uses an OR combinator to match any of the specified low-priority Event IDs for removal.
Preserves all security-relevant events including threat detections, policy violations, and authentication failures.
Sample High Volume Events
Purpose: Apply intelligent sampling to high-volume events that have some operational value but occur too frequently for full retention.
Behavior:
Implements configurable sampling rates for specific high-volume Event IDs.
Maintains statistical visibility into event patterns while dramatically reducing volume.
Currently configured to sample events like connection statistics and routine operational messages.
Preserves event timing and distribution patterns through intelligent sampling.
Configuration Options
The Cisco ASA Optimizer uses an OR combinator to filter out 34 low-priority, high-volume Event IDs and applies configurable sampling rates to high-frequency events, allowing bypass options and additional filtering to reduce log volume while preserving critical security data.
Filter Cisco ASA Events
Filter Conditions:
Uses an OR combinator to match against specified low-priority Event IDs.
Currently configured to drop 34 specific Event IDs known to generate high volume with low security value.
Sample High Volume Events
General Configuration:
Bypass Transform: When enabled, this transform will be bypassed entirely, allowing the event to pass through without any modifications. Default Value:
off(Disabled)Add Filter Conditions: When enabled, additional filtering can be added beyond sampling rules.
Sample Configuration:
Enabled: When disabled, the sample process will not be applied to the events matching this condition. Default Value:
on(Enabled)Conditions: Sampling is applied to events that meet the specified condition, while other events are allowed to pass through unaffected.
Sample Rate: Configurable sampling rates per Event ID or group of Event IDs.This defines the rate at which events will be forwarded, expressed as 1/N.
Key Field: Specifies a field to use for consistent sampling of related events. When set, events with the same value in this field will be either all kept or all dropped together.
Group By: Creates distinct sampling universes using the specified template. Each unique value created by the template will have its own independently applied sampling rate.
Cisco ASA Event IDs Included
How This Optimizes Cisco ASA Logs
Elimination of Routine Operational Noise: Cisco ASA devices generate extensive logs for routine operations like connection builds/teardowns, interface status changes, and periodic health checks. These events rarely indicate security issues but consume significant storage and processing resources.
Intelligent High-Volume Event Management: Some ASA events provide operational value but occur at extremely high frequencies. Rather than completely dropping these events, sampling preserves statistical visibility while dramatically reducing volume.
Focus on Security-Relevant Events: By removing noise and reducing high-volume events, the optimizer ensures that security-critical events (threats, policy violations, authentication failures, etc.) receive proper attention and analysis.
Efficient Use of Resources: The optimization leads to significant savings in:
Storage costs (local disk, cloud storage)
Network bandwidth for log transmission
SIEM and analytics platform processing overhead
Query performance and analysis speed
Examples
Input Events
[
{ "cisco": { "cisco_asa_event_id": 106011 }, "timestamp": "2025-04-27T12:00:00Z", "message": "Deny inbound protocol src interface_name:source_address/source_port" },
{ "cisco": { "cisco_asa_event_id": 302013 }, "timestamp": "2025-04-27T12:00:01Z", "message": "Built outbound TCP connection" },
{ "cisco": { "cisco_asa_event_id": 106100 }, "timestamp": "2025-04-27T12:00:02Z", "message": "Access denied by access-group" },
{ "cisco": { "cisco_asa_event_id": 106100 }, "timestamp": "2025-04-27T12:00:03Z", "message": "Access denied by access-group" },
{ "cisco": { "cisco_asa_event_id": 733100 }, "timestamp": "2025-04-27T12:00:04Z", "message": "Directory lookup failed" },
{ "cisco": { "cisco_asa_event_id": 725001 }, "timestamp": "2025-04-27T12:00:05Z", "message": "SSL session established" }
] After Filter Cisco ASA Events
[
{ "cisco": { "cisco_asa_event_id": 106100 }, "timestamp": "2025-04-27T12:00:02Z", "message": "Access denied by access-group" },
{ "cisco": { "cisco_asa_event_id": 106100 }, "timestamp": "2025-04-27T12:00:03Z", "message": "Access denied by access-group" },
{ "cisco": { "cisco_asa_event_id": 733100 }, "timestamp": "2025-04-27T12:00:04Z", "message": "Directory lookup failed" }
]After Sample High Volume Events
[
{ "cisco": { "cisco_asa_event_id": 106100 }, "timestamp": "2025-04-27T12:00:02Z", "message": "Access denied by access-group" },
{ "cisco": { "cisco_asa_event_id": 733100 }, "timestamp": "2025-04-27T12:00:04Z", "message": "Directory lookup failed" }
]Overall Recommendations
Filter Cisco ASA Events
Remove low-priority operational events
Eliminates noise and reduces log volume significantly
Sample High Volume Events
Intelligent sampling of high-frequency events
Reduces log size
In combination, these transforms deliver a targeted Cisco ASA log optimization solution that dramatically reduces log volume while preserving all security-relevant information. The optimization strategy is specifically designed around Cisco ASA's event taxonomy, ensuring that critical security events remain fully visible while operational noise is intelligently managed.
Last updated
Was this helpful?