Top Hosts with most Connections for Cisco ASA (10021 / 20021)
This Module handles Cisco ASA NSEL. It provides top N (by the number of connections) consumers (users) by Network Device by Protocol (Destination Port) over a time interval T. Cisco ASA customers may turn on NSEL at the highest reporting level, and still receive consolidated data (several syslog messages) every T seconds. This information is provided per NetFlow exporter.
|Data Collection Interval, sec||Module logic execution interval||min = 10 sec, max = 600 sec, default = 30 sec|
|Application protocol (l4_dst_port) list||List of watched layer 4 destination ports. If specified, the traffic is reported by specified ports, and all other traffic is summed up under dest_port=0. If the list is empty, the traffic is reported by all actual destination ports.||e.g. 80, 443|
|N – number of reported hosts||Top N (number of reported destinations)||min = 0, max = 100000, default = 50 (0 indicates all hosts are reported)|
|Enable(1) or disable (0) reporting by destination port||If set to 1, enable network traffic monitoring by destination port. If set to 0, report total network traffic as destination port 0 (dest_port=0)||default = 0|
Cisco ASA NSEL.
Syslog/JSON Message Fields
|nfc_id||Message type identifier||“nfc_id=20021”|
|exp_ip||NetFlow exporter IPv4 address||<IPv4_address>|
|src_ip||Source host IPv4 address||<IPv4_address>|
|src_ip6||Source host IPv6 address||<IPv6_address>|
|dest_port||Destination port number (e.g. 80 for http)||<number>|
|user||Username (up to 20 bytes)||<string> (“na” if not available)|
|created_count||Created flows count||<number>|
|t_int||Observation time interval, msec||<number>|