--- id: cisco-app title: Cisco Logs Extraction Template description: Parse the common fields in your Cisco ASA Logs using the FER template. slug: /help/docs/manage/field-extractions/fer-templates/cisco-app/ canonical: https://www.sumologic.com/help/docs/manage/field-extractions/fer-templates/cisco-app/ --- **Log Type**: Cisco ASA **Template Description:** Parsing the common fields in your Cisco ASA log. **Sample Log:** ``` Tue Aug 15 23:30:09 %ASA-6-302016: Teardown UDP connection 40 for outside:44.44.4.4/500 to inside:44.44.2.2/500 duration 0:02:02 bytes 1416 ``` **Parsing Rule:** ```sumo extract "%[A-Z]{3}-(?\d)-(?\d{6}):(?.+)$" nodrop | extract " duration (?[\d:]+) bytes (?\d+)" nodrop | extract "(?\d+ in use, \d+ most used)" nodrop | extract "%[A-Z]{3}-\d-\d{6}:.+? for (?\S+):(?[\S ]+)\/(?\d+) .*?to (?\S+):(?\S+)\/(?\d+)" nodrop | extract "(?Built .+?) (?:for |from )" nodrop | extract "Built \w+ (?\w+) (?:translation|connection) " nodrop | extract " from (?\S+):(?[\S ]+) to (?\S+):(?\S+)(?:\s|$)" nodrop | extract " from (?\S+):(?[\S ]+)/(?\d+) to (?\S+):(?\S+)/(?\d+)" nodrop | extract "(?access-list) (?.+?) (?\w+) (?\w+) (?\S+)/(?[\S ]+)\((?\d+)\) -[>]{0,1} (?\S+)/(?\S+)\((?\d+)\) hit-cnt (?\d+) (?.+?)(?: \[|$)" nodrop | extract "(?access-list) (?.+?) (?\w+) (?\w+) (?\S+)/(?[\S ]+)\((?\d+)\) -[>]{0,1} (?\S+)/(?\S+)\((?\d+)\) hit-cnt (?\d+) \((?.+?)\)" nodrop | extract "(?Deny .+?) from (?[\S ]+) to (?\S+) on interface (?\S+)(?:\s|$)" nodrop | extract "(?Deny .+?) src (?\S+):(?[\S ]+) dst (?\S+):(?\S+)(?:\s|$)" nodrop | extract "Deny (?\w+) (?:reverse path|connection spoof|src )" nodrop | extract "(?Deny inbound \(No xlate\))" nodrop | extract "(?Deny inbound \(No xlate\)) (?\w+) src (?\S+):(?[\S ]+) dst (?\S+):(?\S+)(?:\s|$)" nodrop | extract "(?Deny inbound \(No xlate\)) (?\w+) src (?\S+):(?[\S ]+)\/(?\d+) dst (?\S+):(?\S+)\/(?\d+)" nodrop | extract " (?\w+) (?Connection denied by outbound list) (?.+?) src (?[\S ]+) dest (?\S+)(?:\s|$)" nodrop | extract "(?Deny inbound) (?\w+) from (?[\S ]+)/(?\d+) to (?\S+)/(?\d+)" nodrop | extract "(?Deny inbound) (?\w+) from (?[\S ]+)/(?\d+) to (?\S+)/(?\d+) on interface (?\S+)(?:\s|$)" nodrop | extract "(?Deny inbound) (?\w+) src (?\S+):(?[\S ]+)/(?\d+) dst (?\S+):(?\S+)/(?\d+)" nodrop | extract "(?Deny IP) from (?[\S ]+) to (?\S+)(?:,|\s|$)" nodrop | extract "(?Dropping echo request) from (?[\S ]+) to PAT address" nodrop | extract "(?Deny inbound icmp) src (?\S+):(?[\S ]+) dst (?\S+):(?\S+)(?:\s|$)" nodrop | extract "(?Deny TCP \(no connection\)) from (?[\S ]+)/(?\d+) to (?\S+)/(?\d+) flags (?.+?) on interface (?\S+)(?:\s|$)" nodrop | extract "(?Deny IP spoof) from \((?[\S ]+)\) to (?\S+) on interface (?\S+)(?:\s|$)" nodrop | extract "(?Deny IP due to Land Attack) from (?[\S ]+) to (?\S+)(?:\s|$)" nodrop | extract "(?ICMP packet type .+? denied by outbound list) (?.+?) src (?[\S ]+) dest (?\S+)(?:\s|$)" nodrop | extract "(?Deny IP teardrop fragment .+?) from (?[\S ]+) to (?\S+)(?:\s|$)" nodrop | extract "(?Teardown) (?TCP|UDP) connection \d+ for " nodrop | extract "%[A-Z]{3}-\d-\d{6}: (?[\S ]+) (?Accessed URL) (?[\d\.]+):(?.+)$" nodrop | extract "%[A-Z]{3}-\d-\d{6}: (?.+?)@(?[\S ]+) (?Accessed URL) (?\S+):(?.+)$" nodrop | extract "(?\w+ local-host) (?\S+):(?[\S ]+)$" nodrop | extract "(?\w+ local-host) (?\S+):(?[\S ]+) duration (?.+)$" nodrop | extract "%[A-Z]{3}-(?\d)-(?\d{6})[:]{0,1} IPS:(?\d+) (?.+?) from (?[\S ]+) to (?\S+) on interface (?\S+)(?:\s|$)" nodrop ```