Create a custom event list

Create a custom event list to control which syslog messages are sent to a logging destination. This allows you to filter messages based on event class, severity, and message identifier for more granular control.

An event list is a custom filter you can apply to a logging destination, allowing greater control over which messages are sent. Normally, you filter messages for a destination based solely on severity. Using an event list, you can fine-tune filters using event class, severity, and message ID.

Creating a custom event list is a two-step process. You create a custom list in the Event Lists, and then use the event list to define the logging filter for the various types of destination, in the Logging Destinations.

Tip

If you are configuring devices to send syslog messages about security events (such as connection and intrusion events), most Firewall Threat Defense platform settings do not apply to these messages. See Firewall Threat Defense platform settings that apply to security event syslog messages.

Before you begin

Ensure you have access to the system where syslog event lists can be configured.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select Syslog > Events List.

Step 3

Click Add to create a new list or click an existing list to edit.

  1. Enter a unique name for the event list in the Name field; avoid spaces.

  2. Set criteria to filter messages by severity or event class, select the Severity/Event Class tab and add or edit entries.

    For information on the available classes see Syslog message classes and associated message ID numbers.

    For information on the levels, see Syslog message severity levels.

    Certain event classes do not apply to devices in transparent mode. If you configure these options, the system does not use or deploy them.

  3. To identify messages specifically by message ID, select the Message ID and add or edit the IDs.

    You can enter a range of IDs using a hyphen, for example, 100000-200000. Each message ID you enter must contain six digits. For information on how the initial three digits map to features, see Syslog message classes and associated message ID numbers.

    For specific message numbers, see Cisco ASA Series Syslog Messages.

  4. Click OK to save the event list.

Step 4

Click Logging Destinations and add or edit the destination that should use the custom event list filter.

See Enable logging destinations.

Step 5

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

The system creates the custom event list and applies it to the logging destination you select.