topic Cisco Security Suite & VPN Statistics in Security

Cisco Security Suite & VPN Statistics

cellison — Mon, 09 Dec 2013 15:30:29 GMT

I have data coming in via UDP port #514 and I changed the REGEX to "%ASA-\d+-\d+" and I now have data coming in to the Cisco Security Suite.

I use the following search to obtain data for VPN: "process="%ASA-5-722033" sourcetype=syslog"

This will give me a list of TCP and UDP connections along with the VPN user etc. However, what I really need is to be able to see the total RX & TX for the time period I specify for each user.

Can anyone help with this? Is there a way to get the output to be in a graphical representation?

Thank you all very much.

Re: Cisco Security Suite & VPN Statistics

cellison — Mon, 09 Dec 2013 15:38:55 GMT

Sorry for the wrong title. It should be "Cisco Security Suite & VPN Statistics." I have tried updating the title, but can not get past any of the reCaptch security phrases. Bug perhaps?

Re: Cisco Security Suite & VPN Statistics

cellison — Mon, 09 Dec 2013 16:44:49 GMT

I think I may have figured out a way to get the info I was searching for. However, I'd like some feedback to see if I am interpreting the data correctly.

I put together this search: source="udp:514" sourcetype="syslog" index="main" "username" "DefaultWEBVPNGroup"

Then I specify a date parameter and it looks like I get what I need. It appears that I get the initial VPN session connection and then I also get the disconnect if it is in the same time period I searched for. In that disconnect event, it has "Bytes xmt & Bytes rcv."

Am I correct in my intrepretation that this was the total data transmitted and received for that VPN session?

Here is a sample output:

Dec 8 16:50:46 10.110.255.1 Dec 08 2013 16:52:03 ASA : %ASA-4-113019: Group = DefaultWEBVPNGroup, Username = ********, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:14m:47s, Bytes xmt: 1651278, Bytes rcv: 289109, Reason: User Requested

Thanks for any input.

Re: Cisco Security Suite & VPN Statistics

halr9000 — Mon, 09 Dec 2013 16:48:35 GMT

Your interpretation certainly makes sense. Maybe there's some doc from Cisco that would shed some real light.

Re: Cisco Security Suite & VPN Statistics

cellison — Mon, 09 Dec 2013 17:01:39 GMT

Thanks for changing the title. No matter what captcha I tried when doing an update, it would not pass. However, I could comment just fine and the captcha would work.

Do you perhaps know of a way to get this data in a chart form showing the TX and RX?