Hi,
can anyone please answere if it is possible to process ASA Built and Teardown messages of the single connection as a single event.
ASA generates Built message when TCP/UDP connection established over the firewall and Terdown message when closing the connection. Unfortunately some data are missing in each type of message.
(e.g. dirction is just in Built or duration is just in Teardown).
What I what to do is process both messages for each connection as the single merdged "connection" event so that I can make a select or a graf using "connection" events instead of single Built or Teardown events.
Thanx in advance.
Roman
You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)
You can use a transaction command to do this if there is a matching and unique element in both events. For this specific data type you need a transaction ID, addresses and ports won't be unique enough (unless maybe if you evaluate them into a single field?)
Transaction command works very well.
Thanks for the hint.
I'm pretty sure you can use transaction for that. Can you post a build and teardown event for a connection?