Syslog RFC 5424 specifies that syslog data should contain either the IP address or the host name of the origin of the log message in the header. However, for some models of Cisco ASA firewalls, the default is to use a label that Cisco refers to as a context name. This name has the following form:
%ASA-<numeric syslog severity level>-<message/event type id>
Example of an entire syslog message:
Oct 11 2017 14:19:54: %ASA-6-302014: Teardown TCP connection 2001052447 for outside:188.8.131.52/443 to inside:10.4.171.32/54297 duration
This setting is problematic for Alert Logic® Log Manager™ because for remote syslog sources, Log Manager is designed to extract the source host name or IP address from the message header and use that as the log source name. When the context name is used, Log Manager will register many sources for a single ASA firewall, since the severity level and message ID result in many permutations.
There is a command in Cisco IOS that can be used to configure the syslog output to use a host name or IP address instead of the context name. The command is “logging device-id,” as shown below:
logging device-id [context-name | hostname | ipaddress
hostname(config)# logging device-id hostname
This command should be run before sending logs from the device to Log Manager to prevent many spurious log sources from being created.
This issue seems to only apply to remote ASA sources that are being collected by a remote collector. The virtual appliance seems to use the packet/datagram source IP rather than the non-canonical host name/IP in the message header.