Skip to content

Source and event types for the Splunk Add-on for Cisco ASA

The Splunk Add-on for Cisco ASA provides the following source types:

Source type Description Event type CIM data models
cisco:asa Events coming from TCP/ UDP/ SC4S. See “CIM compatibility of Cisco ASA message IDs” for information about Cisco ASA message IDs. cisco_authentication, cisco_authentication_privileged Authentication
cisco_connection Network Traffic
cisco_asa_audit_change cisco_asa_configuration_change Change
cisco_asa_network_sessions, cisco_vpn_start cisco_vpn, cisco_vpn_end Network Sessions
cisco_asa_certificates Certificates
cisco_intrusion Intrusion Detection
cisco_asa_alert Alerts

CIM compatibility with Cisco ASA events

The table below describes the CIM data models mapped to the respective Cisco ASA event types.

Event type CIM Data Model
[cisco_authentication_privileged]
113021

[cisco_authentication]
113008,113005,113004,605004,713198,716047,611101,109031,713185,713167,772004,
113012,772002,605005,716038,713166,716039,772003		 Authentication
[cisco_connection]
109025,302015,710005,106023,302020,302013,302014,305012,400013,313001,
313005,106012,338002,106103,106006,710003,302016,313009,500003,302021,106014,
110002,303002,305013,106100,313004,106021,419003,106007,106001,419002,
305011,710002,106015,106020,338301		 Network Traffic
[cisco_asa_audit_change]
505015,771002,502112,505009,502102,111010,502103,111009,505004,502111,
111004,502101,111001

[cisco_asa_configuration_change]
505015,505007,505006,505005,113003,502112,504001,505008,505009,505001,
500002,502102,500001,505003,505002,505004,502111,504002,502101		 Change
[cisco_asa_network_sessions]
609001,725007,722028,609002,716058,751025,725003,716059,722030,722029,
722037,722031

[cisco_vpn_start]
716001,113039,602303,722022,722034,722033

[cisco_vpn]
713228,722051

[cisco_vpn_end]
113019,602304,722023,716002		 Network Sessions
[cisco_asa_certificates]
717022,717009,717029,717027,717028,717037		 Certificates
[cisco_intrusion]
400032,106017,106016		 Intrusion Detection
[cisco_asa_alert]
405001,110003		 Alerts