https://community.cisco.com/t5/network-security/xlate-logs-into-splunk-es/m-p/4130355#M1072629 <P>The quick 'n dirty:</P><P>&nbsp;</P><P>- Cisco ASAs logging informational level send to a server running syslog-ng, which is ingested into Splunk Enterprise Security.</P><P>- Client wants to see xlate / NAT translations in the search of the log</P><P>- Is the only way to really achieve this to have an API call of a show xlate / show conn so it can be logged, searchable, and retained within Splunk?</P><P>- As a workaround I am offering the "built connection" log from the ASA to see if that can satisfy.</P><P>&nbsp;</P><P>Thanks!</P> Tue, 04 Aug 2020 19:11:42 GMT amlc 2020-08-04T19:11:42Z https://community.cisco.com/t5/network-security/xlate-logs-into-splunk-es/m-p/4130355#M1072629 <P>The quick 'n dirty:</P><P>&nbsp;</P><P>- Cisco ASAs logging informational level send to a server running syslog-ng, which is ingested into Splunk Enterprise Security.</P><P>- Client wants to see xlate / NAT translations in the search of the log</P><P>- Is the only way to really achieve this to have an API call of a show xlate / show conn so it can be logged, searchable, and retained within Splunk?</P><P>- As a workaround I am offering the "built connection" log from the ASA to see if that can satisfy.</P><P>&nbsp;</P><P>Thanks!</P> Tue, 04 Aug 2020 19:11:42 GMT https://community.cisco.com/t5/network-security/xlate-logs-into-splunk-es/m-p/4130355#M1072629 amlc 2020-08-04T19:11:42Z https://community.cisco.com/t5/network-security/xlate-logs-into-splunk-es/m-p/4130505#M1072638 Hi,<BR /><BR />Look for these syslog messages. Built connection syslog doesn't indicate<BR />xlate always.<BR /><BR />305009<BR /><BR />Error Message %ASA-6-305009: Built {dynamic|static} translation from<BR />interface_name<BR />[(acl-name)]:real_address [(idfw_user )] to interface_name :mapped_address<BR /><BR />Explanation An address translation slot was created. The slot translates<BR />the source address from the local side to the global side. In reverse, the<BR />slot translates the destination address from the global side to the local<BR />side.<BR /><BR />Recommended Action None required.<BR />305010<BR /><BR />Error Message %ASA-6-305010: Teardown {dynamic|static} translation from<BR />interface_name :real_address [(idfw_user )] to interface_name :<BR />mapped_address duration time<BR /><BR />Explanation The address translation slot was deleted.<BR /><BR />Recommended Action None required.<BR />305011<BR /><BR />Error Message %ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP}<BR />translation from interface_name :real_address/real_port [(idfw_user )] to<BR />interface_name :mapped_address/mapped_port<BR /><BR />Explanation A TCP, UDP, or ICMP address translation slot was created. The<BR />slot translates the source socket from the local side to the global side.<BR />In reverse, the slot translates the destination socket from the global side<BR />to the local side.<BR /><BR />Recommended Action None required.<BR />305012<BR /><BR />Error Message %ASA-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP}<BR />translation from interface_name [(acl-name )]:real_address /{real_port |<BR />real_ICMP_ID } [(idfw_user )] to interface_name :mapped_address /{<BR />mapped_port |mapped_ICMP_ID } duration time<BR /><BR />Explanation The address translation slot was deleted.<BR /><BR />Recommended Action None required.<BR /><BR /><BR />***** please remember to rate useful posts<BR /> Wed, 05 Aug 2020 01:25:40 GMT https://community.cisco.com/t5/network-security/xlate-logs-into-splunk-es/m-p/4130505#M1072638 Mohammed al Baqari 2020-08-05T01:25:40Z