Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
1
Replies

XLATE Logs into Splunk ES

amlc
Level 1
Level 1

‎08-04-2020 12:11 PM

The quick 'n dirty:

 

- Cisco ASAs logging informational level send to a server running syslog-ng, which is ingested into Splunk Enterprise Security.

- Client wants to see xlate / NAT translations in the search of the log

- Is the only way to really achieve this to have an API call of a show xlate / show conn so it can be logged, searchable, and retained within Splunk?

- As a workaround I am offering the "built connection" log from the ASA to see if that can satisfy.

 

Thanks!

0 Helpful
1 Reply 1

Mohammed al Baqari
Level 11
Level 11

‎08-04-2020 06:25 PM

Hi,

Look for these syslog messages. Built connection syslog doesn't indicate
xlate always.

305009

Error Message %ASA-6-305009: Built {dynamic|static} translation from
interface_name
[(acl-name)]:real_address [(idfw_user )] to interface_name :mapped_address

Explanation An address translation slot was created. The slot translates
the source address from the local side to the global side. In reverse, the
slot translates the destination address from the global side to the local
side.

Recommended Action None required.
305010

Error Message %ASA-6-305010: Teardown {dynamic|static} translation from
interface_name :real_address [(idfw_user )] to interface_name :
mapped_address duration time

Explanation The address translation slot was deleted.

Recommended Action None required.
305011

Error Message %ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP}
translation from interface_name :real_address/real_port [(idfw_user )] to
interface_name :mapped_address/mapped_port

Explanation A TCP, UDP, or ICMP address translation slot was created. The
slot translates the source socket from the local side to the global side.
In reverse, the slot translates the destination socket from the global side
to the local side.

Recommended Action None required.
305012

Error Message %ASA-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP}
translation from interface_name [(acl-name )]:real_address /{real_port |
real_ICMP_ID } [(idfw_user )] to interface_name :mapped_address /{
mapped_port |mapped_ICMP_ID } duration time

Explanation The address translation slot was deleted.

Recommended Action None required.


***** please remember to rate useful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card