On Nov 19, 2011, at 9:05 PM, Jonathan Lassoff <jof@thejof.com> wrote: Ah, this totally makes sense now. I can see why you'd want to use features that are already on your ASAs. Sounds like a bug to me, though. I wonder what Cisco calls syslog-tls though. Syslog-like packet bodies, over a TLS-wrapped TCP socket? Sorry to hear it's been so unreliable -- I guess that's why I'm biased towards just running generic PCs and open source software for this kind of stuff; when bugs happen, you're actually empowered to debug and fix problems. Yep all of our other gear is Linux for that reason (plus Mac OS on the desktop so things "just work"). Cisco called the syslog-TLS stuff just "syslog" plus a "secure" parameter, and port 1470 by default. ASDM had a fairly helpful interface to get it configured. I think it requires the K9 image or whatever it's called to get the option. This does indeed sound like a good application for splunk. They have ways of defining custom logging formats that will parse out simple column and message types so that you can construct queries based on that information. There's some more information here in Splunk's docs on custom field extraction: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-ti... Cheers, jof Sounds promising! Thanks again! Sent from my iPad