My IPS tells me a private-address (10.1.x.x) host in my network is the source of a virus detected at the IPS outside my ASA 5510 firewall. But all the IPS sees is the ASA's public address as source of the packet, and the destination IP. If I try to log all Informational events to Syslog the ASA warns me it may run out of memory and hang. So I'm trying to identify a particular event or events I can log and look back at after being notified by the PIS, that will hold clues to which private host is resonsible. There are several Build and Teardown connection events. IPS support tells me the IPS drops the packets. Will those dropped packets generate any particular event that I can log? Any other suggestions about how to identify the culprit?