Cisco-ASA default decoder and rules not working

25 views
Skip to first unread message

avkby445h 24

unread,
Sep 2, 2025, 11:52:26 AM (5 days ago) Sep 2
to Wazuh | Mailing List

Hi team,

I am shipping network devices logs from a syslog VM to Wazuh Server.

When running logtest, I cannot see the cisco-asa decoder and rule matching as below.

what am I missing?

Sample ASA log file as below:

 

2025-09-02T18:40:06.198792+03:00 x.x.x.x : Sep 02 18:40:01 EAT: %ASA-session-6-302013: Built outbound TCP connection 88734352 for IPT-TRANSIT-TENDA:10.100.251.137/24801 (10.100.251.137/24801) to identity:x.x.17.17/16058 (x.x.17.17/16058)
2025-09-02T18:40:06.198862+03:00 x.x.x.x : Sep 02 18:40:01 EAT: %ASA-session-6-302014: Teardown TCP connection 88734352 for IPT-TRANSIT-TENDA:10.200.251.137/24801 to identity:x.x.17.17/16058 duration 0:00:00 bytes 0 Flow closed by inspection
2025-09-02T18:40:06.212190+03:00 x.x.x.x : Sep 02 18:40:01 EAT: %ASA-session-6-302013: Built inbound TCP connection 88734353 for IPT-TRANSIT-TENDA:135.181.74.88/36360 (135.181.74.88/36360) to ZIM-VEVE:x.x.13.6/5432 (41.84.159.22/5432)
2025-09-02T18:40:06.380296+03:00 x.x.x.x : Sep 02 18:40:01 EAT: %ASA-session-4-106023: Deny tcp src CDEH-ICOLO:x.x.36.5/3184 dst ZIM-FLEX-UAT:x.x.36.5/16000 by access-group "TUN-ZIM-EADC_access_in" [0xf9934f0d, 0x0]

 

**Phase 1: Completed pre-decoding.
        full event: '2025-09-02T18:01:20.648766+03:00 x.x.x.x : Sep 02 18:01:16 EAT: %ASA-session-6-302014: Teardown TCP connection 88689071 for ZIM-ESXI:x.x.5.3/48748 to ZIM-ADMIN:x.x.8.7/88 uration 0:00:00 bytes 3697 TCP FINs from ZIM-ESXI'
        timestamp: '2025-09-02T18:01:20.648766+03:00'
        program_name: ''

**Phase 2: Completed decoding.
        name: 'cisco-catalyst-1000'
        cisco.facility: 'ASA-session'
        cisco.mnemonic: '302014'
        cisco.severity: '6'

**Phase 3: Completed filtering (rules).
        id: '4716'
        level: '0'
        description: 'Cisco IOS informational message - 302014'
        groups: '['syslog', 'cisco_ios']'
        firedtimes: '1'
        mail: 'False'

Olamilekan Abdullateef Ajani

unread,
Sep 2, 2025, 1:25:42 PM (5 days ago) Sep 2
to Wazuh | Mailing List
Hello,

If I understand you clearly, you mean the logs are not decoded properly. I feel the way you are testing this is different. Based on the decoder in /var/ossec/ruleset/decoders/0064-cisco-asa_decoders.xml, the log expected is 

%ASA-session-6-302014: Teardown TCP connection 88734352 for IPT-TRANSIT-TENDA:10.200.251.137/24801 to identity:2.2.17.17/16058 duration 0:00:00 bytes 0 Flow closed by inspection

what you have added to the logtest are simply headers which may affect the outcome of the logtest as you have also seen. Please see a test I did attached.

What we can do to confirm this is to check the raw logs from archives.json file.

You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
  <global>
    <logall>yes</logall>
    <logall_json>yes</logall_json>
  </global>
</ossec_config>
Then restart the Wazuh-manager.
systemctl restart wazuh-manager

cat /var/ossec/logs/archives/archives.json | grep -i -E "part of your log"
Verify that you have the logs, then disable archiving by setting the values to no.

Please let me know what you find
cisco-asa.png
Reply all
Reply to author
Forward
0 new messages