Prevent the ASP process from parsing the logs that do not match by creating a filter.
The following example describes the steps to make a filter for log:
Teardown TCP connection id for interface:real-address/real-port to interface:real-address/real-port duration hh:mm:ss bytes bytes. You would implement the filter after you disable the
PIX_ASA Teardown IP protocol rule on a Cisco PIX/ASA/FWSM (ASP) data source. Modify the steps as needed so that they apply to the rules in your environment.
- Open the PIX_ASA Teardown IP protocol rule in the Policy Editor.
- Select the Parsing tab, then note the value in the Content string. For example, in this rule it is something like -302023.
- Create a filter with the following attributes:
- Name: Arbitrary name of the filter
- Content Strings: The value you noted down earlier, for example: -302023.
- Action to take with this rule: Select Stop Processing Filter Rules. Or, if you want to send the skipped log to the ELM, select Send Log to ELM.
- Enable the filter on the data source, then save, and apply your changes.
After you configure this filter, any logs that contain the string -302023 will not be parsed, significantly improving the performance of the ASP process.