Troubleshooting CISCO Asa FW Event Source
I do have some questions in order to better help you troubleshoot the issue.
- Are you using syslog collection?
- Are you sending the logs directly to a log decoder or though a VLC (remote collector)? (check that the syslog capture in the VLC or LD config is up and running)
- Can you check that you don't see any ASA logs in the UI? Example: device.ip=<ASA_IP> (if yu are using a syslog relay, you should search with the IP of the relay instead of the source)
- Can you check that the logs are really arriving on the NetWitness appliance (whether it is an LD or VLC) using tcpdump? Example: SSH to the LD or VLC and execute this: tcpdump -A -i any host <ASA_IP>