Configure SEM to track Cisco buildup and teardown events
You can enable SEM to track buildup and tear-down events that occur on your network.
To monitor accepted traffic, use the log target in your accepted ACLs instead of the buildup logging. This lets you control the accepted traffic that will generate an alert. To monitor the information about the actual NAT, consider the event load this will create. Plan a test phase where you turn it on and determine if it is valuable to you for further investigation.
If you need to monitor unmodified log data (versus the normalized data), consider the nDepth original log message store. Remember that this process requires additional disk space.
Also, consider whether you need both buildups and tear-downs, or just buildup messages. The tear-down NAT messages include the same information as the built messages, along with some duration and size information that may or may not be useful. Colleges and universities that use the built messages do not rely on the tear-down messages. They only need to know a connection was established for verification, analysis, and correlation.
Be sure to check your syslog data to determine and enable only those buildup or teardown events are of use.
Tracking Buildup Events
SEM is preconfigured to capture Cisco events 302003, 302009, and 603108.
You can configure SEM to capture Cisco firewall buildup events as well. The primary buildup event to use for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303, 305009, 305011, and 609011. Check the description of these events in the Cisco System Log Messages Guide located on the Cisco website to ensure you need to capture these events.
Tracking tear-down Events
Out of the box, SEM captures Cisco event 603019.
You can also enable SEM to capture Cisco firewall tear-down NAT events. The teardown sibling to buildup even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. You can see description of these events in the Cisco System Log Messages Guide to make sure they are ones you want to capture.
Enabling SEM to track buildup and teardown events
- Ensure that your firewalls are sending log events to SEM, and that the appropriate SEM connector is monitoring your firewall data.
Access the firewalls that contain the buildup and tear-down messages you need to monitor and adjust the severity level of those events from 6 (the default) to 0.
For more information, see the Changing the Severity Level of a Syslog Message section in the Monitoring the Security Appliance page on the Cisco site.