cisco-asa-syslog

# Cisco ASA Syslog Analysis

This skill teaches you how to read, parse, and interpret log messages generated by Cisco ASA firewalls. All ASA logs are delivered via the syslog protocol, so understanding syslog is foundational before working with ASA-specific content.

---

## Part 1: Syslog Protocol Foundation

All Cisco ASA log messages are transported and formatted using the syslog standard (RFC 3164 / RFC 5424). You must understand syslog before interpreting ASA messages.

### Severity Levels

Every syslog message carries a numeric severity (0 = most critical, 7 = least critical):

| Level | Keyword       | Meaning                                  |
|-------|---------------|------------------------------------------|
| 0     | Emergency     | System is unusable                       |
| 1     | Alert         | Immediate action required                |
| 2     | Critical      | Critical conditions                      |
| 3     | Error         | Error conditions                         |
| 4     | Warning       | Warning conditions                       |
| 5     | Notice        | Normal but significant events            |
| 6     | Informational | Routine informational messages           |
| 7     | Debug         | Verbose diagnostic output                |

### Facility Codes

Facility codes indicate the source subsystem (0-23). Cisco ASA uses local4 (code 20) by default, but this is configurable on the device.

### PRI Value

The PRI header encodes both facility and severity:

  PRI = (Facility x 8) + Severity

Example: local4 (20) + Informational (6) -> (20 x 8) + 6 = 166, shown as <166> in the log header. This is the most common PRI value seen in ASA logs.

### RFC 3164 Format (Traditional)

  <PRI>TIMESTAMP HOSTNAME TAG: MESSAGE

Example:
  <166>Jan 15 10:22:01 fw01 : %ASA-6-302013: Built outbound TCP connection...

### RFC 5424 Format (ASA 9.10+)

Enabled via "logging timestamp rfc5424". Uses ISO 8601 UTC timestamps:

  <PRI>VERSION TIMESTAMP HOSTNAME APP-N...