Skip to main content
Version: 2.9.1

Top Hosts with most Connections for Cisco ASA (10021 / 20021)

Description​

This Module handles Cisco ASA NSEL. It provides top N (by the number of connections) consumers (users) by Network Device by Protocol (Destination Port) over a time interval T. Cisco ASA customers may turn on NSEL at the highest reporting level, and still receive consolidated data (several syslog messages) every T seconds. This information is provided per NetFlow exporter.

Parameters​

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 600 sec, default = 30 sec
Application protocol (l4_dst_port) listList of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.e.g. 80, 443
N – number of reported hostsTop N (number of reported destinations)min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Enable(1) or disable (0) reporting by destination portIf set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)default = 0

Inputs​

Cisco ASA NSEL.

Syslog/JSON Message Fields​

KeyField DescriptionComments
nfc_idMessage type identifierβ€œnfc_id=20021”
exp_ipNetFlow exporter IPv4 address<IPv4_address>
src_ipSource host IPv4 address<IPv4_address>
src_ip6Source host IPv6 address<IPv6_address>
dest_portDestination port number (e.g. 80 for http)<number>
userUsername (up to 20 bytes)<string> (β€œna” if not available)
created_countCreated flows count<number>
t_intObservation time interval, msec<number>