Create a Custom Event List

An event list is a custom filter you can apply to a logging destination to control which messages are sent to the destination. Normally, you filter messages for a destination based on severity only, but you can use an event list to fine-tune which messages are sent based on a combination of event class, severity, and message identifier (ID).

Creating a custom event list is a two-step process. You create a custom list in the Event Lists, and then use the event list to define the logging filter for the various types of destination, in the Logging Destinations.

Tip

If you are configuring devices to send syslog messages about security events (such as connection and intrusion events), most threat defense platform settings do not apply to these messages. See Threat Defense Platform Settings That Apply to Security Event Syslog Messages.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Select Syslog > Events List.

Step 3

Configure an event list.

  1. Click Add to add a new list, or edit an existing list.

  2. Enter a name for the event list in the Name field. Spaces are not allowed.

  3. To identify messages based on severity or event class, select the Severity/Event Class tab and add or edit entries.

    For information on the available classes see Syslog Message Classes.

    For information on the levels, see Severity Levels.

    Certain event classes are not applicable for the device in transparent mode. If such options are configured then they will be bypassed and not deployed.

  4. To identify messages specifically by message ID, select the Message ID and add or edit the IDs.

    You can enter a range of IDs using a hyphen, for example, 100000-200000. IDs are six digits. For information on how the initial three digits map to features, see Syslog Message Classes.

    For specific message numbers, see Cisco ASA Series Syslog Messages.

  5. Click OK to save the event list.

Step 4

Click Logging Destinations and add or edit the destination that should use the filter.

See Enable Logging Destinations.

Step 5

Click Save.

You can now go to Deploy > Deployment and deploy the policy to assigned devices. The changes are not active until you deploy them.