Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Cisco ASA - Session/NAT build-ups and teardowns

Cisco ASA - Session/NAT build-ups and teardowns

Table of contents

Updated February 10th, 2016


With regards to the buildup NAT events from the ASA, we've actually recently developed a mechanism where customers can "opt in" to receiving these events in their normalized alert stream by reassigning their severity level to one we'll look for and normalize.


  • LEM


There are a few things to consider:
  1. If it's "accepted traffic" that you're interested in monitoring, consider using the "log" target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you're made aware of.
  2. If it's the information about the actual NAT (as posted above) that you're interested in monitoring, consider the event load this will create. You might want to plan a "test phase" where you turn it on, determine if it's valuable to you for investigating (try some test scenarios), and then turn it off if you determine it's more noise than it's worth. Some people do find value in it, some people choose to turn it back off because of the noise.
  3. You can always consider the nDepth original log message store, as described above, if you're interested in unmodified log data (vs. the normalized data). For some people, this is a better solution, but it does consume disk space.
  4. Consider whether you need both buildups and teardowns, or just buildup messages. The teardown NAT messages include the same info as the built messages, along with some duration and size info that may or may not be useful. A lot of colleges & universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation.
  5. Look at your own syslog data to determine which buildup and/or teardown events are of interest and use to you. There's a big list, but if it's really only one or two you care about, you can just enable those instead of everything.
To enable the buildup NAT events to be caught by the latest LEM connector, you'll need to adjust the severity level of those events to "0" from "6" (the default). For info about changing the severity level of an ASA message, check out this Cisco command reference link (© 2017 Cisco, available at, obtained on February 24th, 2017.).  The primary "built" event you'll be interested in for TCP tracking is 302013. Others include 302015, 302017, 302020, 302303, 305009, 305011, and 609011, but you'll want to check the descriptions in the Cisco System Log Messages Guide (© 2017 Cisco, available at, obtained on February 24th, 2017.) (will take a bit to load) to make sure those are of interest to you. LEM out of the box will capture 302003, 302009, and 603108 as we've determined these are low-noise high-relevance.



Last modified