Hi aydinnmu1,

                      Thanks for reply. We are referring this syslog guide and found some msg but we are not able to find out which event is for outbound and inbound. where ever outbound and inbound keywords are appearing those messages we have collected but below mentioned messages we are not able to decide. Please help me out on these

%ASA-6-106012: Deny IP from IP_address to IP_address, IP options hex.

%ASA-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.

%ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

%ASA-2-106017: Deny IP due to Land Attack from IP_address to IP_address

%ASA-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address

%ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name

%ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name

%ASA-4-106023: Deny protocol src [interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)] dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)] [type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]

%ASA-3-313008: Denied ICMPv6 type=number, code=code from IP_address on interface interface_name

%ASA-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interface

%ASA-4-416001: Dropped UDP SNMP packet from source_interface:source_IP/source_port to dest_interface:dest_address/dest_port; version (prot_version) is not allowed through the firewall

%ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) (idfw_user, sg_info) interface_name/dest_address(dest_port) (idfw_user, sg_info) hit-cnt number ({first hit | number-second interval}) hash codes

%ASA-6-106102: access-list acl_ID {permitted|denied} protocol for user username interface_name/source_address source_port interface_name/dest_address dest_port hit-cnt number {first hit|number-second interval} hash codes

%ASA-4-106103: access-list acl_ID denied protocol for user username interface_name/source_address source_port interface_name/dest_address dest_port hit-cnt number first hit hash codes

%ASA-4-313004: Denied ICMP type=icmp_type, from source_address on interface interface_name to dest_address:no matching session

%ASA-4-338008: Dynamic filter dropped blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: ip address/netmask, threat-level: level_value, category: category_name

%ASA-4-338203: Dynamic filter dropped greylisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

%ASA-4-338204: Dynamic filter dropped greylisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

%ASA-4-338005: Dynamic filter dropped blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), source malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

%ASA-4-416001: Dropped UDP SNMP packet from source_interface:source_IP/source_port to dest_interface:dest_address/dest_port; version (prot_version) is not allowed through the firewall

%ASA-4-418001: Through-the-device packet to/from management-only network is denied: protocol_string from interface_name IP_address (port) [([idfw_user|FQDN_string], sg_info)] to interface_name IP_address (port) [(idfw_user|FQDN_string), sg_info]

%ASA-4-424001: Packet denied protocol_string intf_in:src_ip/src_port [([idfw_user | FQDN_string], sg_info)] intf_out:dst_ip/dst_port[([idfw_user | FQDN_string], sg_info)]. [Ingress|Egress] interface is in a backup state.

%ASA-4-424002: Connection to the backup interface is denied: protocol_string intf:src_ip/src_port intf:dst_ip/dst_port

%ASA-6-716042: access-list acl_ID action tcp source_interface/source_address (source_port) - dest_interface/dest_address(dest_port) hit-cnt count

%ASA-4-338006: Dynamic filter dropped blacklisted protocol traffic from in_interface:src_ip_addr/src_port (mapped-ip/mapped-port) to out_interface:dest_ip_addr/dest_port (mapped-ip/mapped-port), destination malicious address resolved from local or dynamic list: domain name, threat-level: level_value, category: category_name

Hi Shalendra,

I didn't coincide some of these messages too.

You may be watch keywords from ... to .....

inbound traffic which refer to outside -> inside

outbound traffic which refer to inside->outside.

%ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name

such as this message may be either outbound or inbound traffic. That depends on your configuration and network structure.

Best regards.

Thanks aydinnmu1 ,It was useful for me.

Could you please provide the syslog message list for System Resource Status i.e. CPU usage and Memory usage. Because, i'm not getting in syslog guide.

Regards,

Shalendra