cisco-asa-syslog
Parse, interpret, and analyze Cisco ASA (Adaptive Security Appliance) firewall syslog messages. Use this skill whenever working with Cisco ASA log files, syslog streams from ASA devices, firewall event analysis, or security investigations involving ASA-generated events. Covers the syslog protocol foundation and the ASA-specific message format with message ID categorization.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/gangtao/cisco-asa-syslogCisco ASA Syslog Analysis
This skill teaches you how to read, parse, and interpret log messages generated by Cisco ASA firewalls. All ASA logs are delivered via the syslog protocol, so understanding syslog is foundational before working with ASA-specific content.
Part 1: Syslog Protocol Foundation
All Cisco ASA log messages are transported and formatted using the syslog standard (RFC 3164 / RFC 5424). You must understand syslog before interpreting ASA messages.
Severity Levels
Every syslog message carries a numeric severity (0 = most critical, 7 = least critical):
| Level | Keyword | Meaning |
|---|---|---|
| 0 | Emergency | System is unusable |
| 1 | Alert | Immediate action required |
| 2 | Critical | Critical conditions |
| 3 | Error | Error conditions |
| 4 | Warning | Warning conditions |
| 5 | Notice | Normal but significant events |
| 6 | Informational | Routine informational messages |
| 7 | Debug | Verbose diagnostic output |
Facility Codes
Facility codes indicate the source subsystem (0-23). Cisco ASA uses local4 (code 20) by default, but this is configurable on the device.
PRI Value
The PRI header encodes both facility and severity:
PRI = (Facility x 8) + Severity
Example: local4 (20) + Informational (6) -> (20 x 8) + 6 = 166, shown as <166> in the log header. This is the most common PRI value seen in ASA logs.
RFC 3164 Format (Traditional)
<PRI>TIMESTAMP HOSTNAME TAG: MESSAGE
Example: <166>Jan 15 10:22:01 fw01 : %ASA-6-302013: Built outbound TCP connection...
RFC 5424 Format (ASA 9.10+)
Enabled via "logging timestamp rfc5424". Uses ISO 8601 UTC timestamps:
<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA MSG
Example: <166>1 2018-06-27T12:17:46Z asa - - - %ASA-6-110002: Failed to locate egress interface...
Part 2: Cisco ASA Log Format
Core Message Structure
Every ASA event message follows this pattern, regardless of syslog envelope:
%ASA-severity-message_id: message_text
| Field | Description |
|---|---|
| %ASA | Fixed literal prefix on all ASA messages |
| severity | Single digit 0-7 matching syslog severity levels above |
| message_id | 6-digit numeric ID uniquely identifying the event type |
| message_text | Human-readable description with variable substitutions |
Full Log Line with Syslog Envelope
<PRI> TIMESTAMP HOSTNAME : %ASA-severity-message_id: message_text
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-gangtao-cisco-asa-syslog": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
timeplus-app-builder
Build real-time Timeplus data processing and analysis applications. Creates pure frontend HTML/JavaScript apps that connect directly to Timeplus Proton via @timeplus/proton-javascript-driver (UMD), visualize live streaming data with @timeplus/vistral (UMD), and follow the Timeplus UI style guide. No npm build or bundler required — output is a single self-contained HTML file.
timeplus-sql-guide
Write and execute Timeplus streaming SQL for real-time analytics. Use this skill when the user wants to create streams, run streaming queries, build materialized views, ingest data, send data to sinks, write UDFs, or simulate data with random streams. Executes SQL via the ClickHouse-compatible HTTP interface on port 8123 using environment variables TIMEPLUS_HOST, TIMEPLUS_USER, and TIMEPLUS_PASSWORD. Covers full Timeplus SQL syntax including window functions, JOINs, CTEs, UDFs, data types, aggregations, and all DDL/DML statements.
searxng-web-search
Search the web using a self-hosted SearXNG metasearch engine. Use when the user asks to search the web, find information online, look up recent news, research a topic, or needs current data from the internet. Also use when the agent needs to gather external context to answer a question. Requires a running SearXNG instance with JSON API enabled.