Hi there!
I see that for the vpn dashboard to work it looks for tag=vpn. My question is, how can I make sure the logs has been parsed the way infosec is expecting? I can see the connected and disconnected ids from cisco asa are coming. So please, can you point me for the right direction if that is the case?
Disconnected logs:
May 20 20:25:45 xxx.xxx.xxx.xxx May 20 2020 20:23:55: %ASA-4-113019: Group = Remoe, Username = test.vpn, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:10m:16s, Bytes xmt: 132850266, Bytes rcv: 60187568, Reason: User Requested
Connected logs:
May 20 20:30:52 192.168.201.252 May 20 2020 20:29:02: %ASA-6-113039: Group <Remote> User <test.vpn> IP <xxx.xxx.xxx.xxx> AnyConnect parent session started.
How´s parsed the vpn tag?
Thanks in advance.
After normalizing the CIM, still think that I´m not obtaining the right numbers of connected VPN user.
I´m using the the follow eventtype but looking against zabbix, the number don´t match:
CIM_VPN_TAGS sourcetype="cisco:*" (message_id=722022 OR message_id=722023) tag vpn
I can´t figure out how to make sure to obtain the real time connected users.
Hi @wbueno2, for the VPN dashboard in InfoSec app to light up, you will need the following:
network, session, vpn
user, src_ip, action
Network Sessions
acceleratedIf you are new to Common Information Model, this is a good start: https://youtu.be/QTklD7OiN74
The video takes you through steps for creating tags and field aliases.