All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cannot get VPN access dashboard to work

wbueno2
Explorer
‎05-20-2020 04:35 PM

Hi there!

I see that for the vpn dashboard to work it looks for tag=vpn. My question is, how can I make sure the logs has been parsed the way infosec is expecting? I can see the connected and disconnected ids from cisco asa are coming. So please, can you point me for the right direction if that is the case?

Disconnected logs:

May 20 20:25:45 xxx.xxx.xxx.xxx May 20 2020 20:23:55: %ASA-4-113019: Group = Remoe, Username = test.vpn, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:10m:16s, Bytes xmt: 132850266, Bytes rcv: 60187568, Reason: User Requested

Connected logs:

May 20 20:30:52 192.168.201.252 May 20 2020 20:29:02: %ASA-6-113039: Group <Remote> User <test.vpn> IP <xxx.xxx.xxx.xxx> AnyConnect parent session started.

How´s parsed the vpn tag?

Thanks in advance.

Reply

wbueno2
Explorer
‎05-21-2020 04:21 PM

After normalizing the CIM, still think that I´m not obtaining the right numbers of connected VPN user.

I´m using the the follow eventtype but looking against zabbix, the number don´t match:

CIM_VPN_TAGS sourcetype="cisco:*" (message_id=722022 OR message_id=722023) tag vpn

I can´t figure out how to make sure to obtain the real time connected users.

0 Karma
Reply

igifrin_splunk
Splunk Employee
Splunk Employee
‎05-20-2020 05:23 PM

Hi @wbueno2, for the VPN dashboard in InfoSec app to light up, you will need the following:

  • VPN events tagged with these tags: network, session, vpn
  • Fields/aliases present: user, src_ip, action
  • Data Model Network Sessions accelerated

If you are new to Common Information Model, this is a good start: https://youtu.be/QTklD7OiN74

The video takes you through steps for creating tags and field aliases.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...