Monday, March 24, 2014

How To Forward Cisco ASA Syslog Data to SolarWinds

Updated: 2025-10-16

Why Forward ASA Logs to SolarWinds

If you’re running a Cisco ASA firewall, its syslog output is a goldmine of security and performance insights. By forwarding that data into SolarWinds, you can centralize monitoring, trigger alerts for key events (like denied connections or VPN logins), and build dashboards that reveal trends across your network. The process is straightforward, and once configured, SolarWinds can handle parsing and correlation automatically.

Pro Tip: Forwarding ASA syslog data into SolarWinds is also a great way to test and tune alerting safely in a lab environment. If you’re using a simulation platform like EVE-NG, you can generate synthetic ASA events to see how SolarWinds reacts—perfect for refining thresholds, validating rule logic, and ensuring your alert noise levels are under control before deploying to production.

Step 1 — Identify Your SolarWinds Syslog Receiver

In most SolarWinds environments, Orion Syslog Service (or the newer Log Viewer / Log Analyzer) listens for incoming syslog traffic on UDP port 514 by default.

  • Verify the SolarWinds server’s IP address.

  • Make sure your firewall rules allow inbound UDP 514 from your ASA device.

Step 2 — Configure Syslog on the ASA

Connect to your ASA via SSH or the console, and run the following commands (adjust IPs and interfaces as needed):

conf t
logging enable
logging timestamp
logging device-id hostname
logging trap informational
logging host inside 192.168.1.50
exit
wr mem

Explanation:

  • logging enable — Turns on syslog output.

  • logging trap informational — Sets the severity level (6). You can increase or decrease verbosity with levels like warnings or debugging.

  • logging host inside 192.168.1.50 — Sends logs to your SolarWinds server’s IP address.

  • logging timestamp and device-id hostname help SolarWinds display readable, properly time-stamped messages.

Step 3 — Confirm Delivery

Back on the SolarWinds server:

  • Open Log Viewer or Syslog Viewer.

  • Filter by the ASA’s hostname or IP.
    You should begin seeing live syslog entries. If not, confirm connectivity and ensure the ASA’s interface used for logging has reachability to the SolarWinds server.

Step 4 — Categorize and Alert

Once data is flowing, you can build custom rules or alerts for specific events — for example:

  • “%ASA-6-106100: access-list denied” → Possible attack or misconfiguration.

  • “%ASA-4-313004: Denied ICMP type 8” → Ping floods or blocked diagnostics.

  • “%ASA-6-722051: Group User Connected” → VPN session notifications.

Use Log Analyzer → Rules → Add Rule, set matching text patterns, and define actions (email, SNMP trap, ServiceNow ticket, etc.).

Step 5 — Tune for Noise

Cisco ASA syslogs can be extremely verbose. Periodically review the log stream and tune severity levels or exclude unimportant message IDs. A balanced configuration ensures you’re alerted to real issues — not overwhelmed by chatter.

Step 6 — Monitor and Visualize

Once integrated, you can:

  • Build dashboards showing top denied connections or VPN sessions per day.

  • Correlate ASA events with node health data in SolarWinds.

  • Combine syslog data with NetFlow for richer context.

Summary

Forwarding Cisco ASA syslogs into SolarWinds centralizes visibility, strengthens incident response, and unlocks powerful analytics. In just a few commands, your firewall’s event data becomes part of your broader monitoring strategy — helping you move from reactive troubleshooting to proactive insight.