I see that for the vpn dashboard to work it looks for tag=vpn. My question is, how can I make sure the logs has been parsed the way infosec is expecting? I can see the connected and disconnected ids from cisco asa are coming. So please, can you point me for the right direction if that is the case?
May 20 20:25:45 xxx.xxx.xxx.xxx May 20 2020 20:23:55: %ASA-4-113019: Group = Remoe, Username = test.vpn, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:10m:16s, Bytes xmt: 132850266, Bytes rcv: 60187568, Reason: User Requested
May 20 20:30:52 192.168.201.252 May 20 2020 20:29:02: %ASA-6-113039: Group <Remote> User <test.vpn> IP <xxx.xxx.xxx.xxx> AnyConnect parent session started.