1-2
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring NetFlow Secure Event Logging (NSEL)
Information About NSEL
byte counters over the duration of the flow. These events are usually time-driven, which makes them
more in line with traditional Netflow; however, these events may also be triggered by state changes in
the flow.
Note The flow-update event feature is available only in Version 8.4(5). It is not available in Version 9.0(1) or
later.
Each NSEL record has an event ID and an extended event ID field, which describes the flow event.
The ASA and ASASM implementations of NSEL provide the following major functions:
• Tracks flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data
records.
• Defines and exports templates that describe the progression of a flow. Templates describe the format
of the data records that are exported through NetFlow. Each event has several record formats or
templates associated with it.
• Tracks configured NSEL collectors and delivers templates and data records to these configured
NSEL collectors through NetFlow over UDP only.
• Sends template information periodically to NSEL collectors. Collectors receive template
definitions, normally before receiving flow records.
• Filters NSEL events based on the traffic and event type through Modular Policy Framework, then
sends records to different collectors. Traffic is matched based on the order in which classes are
configured. After a match is found, no other classes are checked. The supported event types are
flow-create, flow-denied, flow-teardown, and all. Records can be sent to different collectors. For
example, with two collectors, you can do the following:
–
Log all flow-denied events that match access list 1 to collector 1.
–
Log all flow-create events to collector 1.
–
Log all flow-teardown events to collector 2.
• Delays the export of flow-create events.
Using NSEL and Syslog Messages
Table 1-1 lists the syslog messages that have an equivalent NSEL event, event ID, and extended event
ID. The extended event ID provides more detail about the event (for example, which ACL—ingress or
egress—has denied a flow).
Note Enabling NetFlow to export flow information makes the syslog messages that are listed in Table 1-1
redundant. In the interest of performance, we recommend that you disable redundant syslog messages,
because the same information is exported through NetFlow. You can enable or disable individual syslog
messages by following the procedure in the “Disabling and Reenabling NetFlow-related Syslog
Messages” section on page 1-8.
To Next Page
Loading...
Need help?
General
