I am new to splunk and I am trying to collect AnyConnect VPN login history for my Cisco ASA 5515x. I am already getting syslog from the firewall (debugging level) and can search on syslog id 722055 to see the individual logins. I have been collecting syslog for about a week so I was wondering if anyone else has tried this and maybe could offer some tips. Search examples, other syslog ids, etc?
722055 is indeed the event that is showing the client type information for example :
2020-05-04T10:50:13+02:00 10.66.65.70 :May 04 08:49:01 UTC: %ASA-svc-6-722055: Group <xxx> User <xxx> IP <xxx.xxx.xxx.xxx> Client Type: Cisco AnyConnect VPN Agent for Windows 4.8.02042
But if you want to have some login stats for the VPN connections from your company you can also use message_id as 722051 that is the moment from where the user is getting the internal IP (meaning the moment is really connected thought the VPN concentrator) and also the message_id 113019 that is the moment where the connection is terminated with the duration time, etc.
Also, if you have enable full syslog logging from your device you have also message_id 113004 that means that the user has successuffly authenticated :
2020-05-04T10:56:57+02:00 10.66.65.70 :May 04 08:55:45 UTC: %ASA-auth-6-113004: AAA user authentication Successful : server = xxx.xxx.xxx.xxx : user = xxx
With those type of message_id you can identity connections but also VPN sessions with good custom searches
All those events are well extrated by the cisco asa TA (https://splunkbase.splunk.com/app/1620/)
The cisco web have all the syslog message_id definition here : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
And we have identified those message_id that are relevant for VPN :
Definitively user is the key for those VPN logs.
In the case of cisco related devices I have made a query like this (it's embedded in a dashboard...) :
index=myciscoindex user=$field2$ Cisco_ASA_message_id=722051 OR Cisco_ASA_message_id=113019 NOT "AnyConnect-Parent" | transaction user endswith="Duration:" keepevicted=true | eval full_duration = duration_hour."h".duration_minute."m".duration_second."s" | eval bytesMB=round(((bytes/1024)/1024),2), bytes_inMB=round(((bytes_in/1024)/1024),2), bytes_outMB=round(((bytes_out/1024)/1024),2) | eval Start_time=strftime(_time,"%Y/%m/%d %H:%M:%S"), End_time=(strftime(_time + duration,"%Y/%m/%d %H:%M:%S")), Total_time=if(isnull(full_duration), Start_time." --> current session",Start_time." --> ".End_time) | mvexpand src | iplocation src | eval LocationIP=City.", ".Country | stats values(host) as host values(Total_time) as "Session Time" values(src) as "PublicIP" values(LocationIP) as LocationIP values(assigned_ip) as "Assigned IP" values(reason) as "Termination Reason" values(bytesMB) as bytesMB values(bytes_inMB) as bytes_inMB values(bytes_outMB) as bytes_outMB values(full_duration) as Duration by _time, user | sort -_time | search PublicIP=* | table "Session Time" host user "PublicIP" LocationIP "Assigned IP" "Termination Reason" bytesMB bytes_inMB bytes_outMB Duration
It will give you a table, with the current session of the user selected in a form above. Basically it will give you the moment the user click on connect to his anyconnect client until the timeout of the anyconnect client (pc sleeping) or if the user just shut the session by hand (there can be more than one session by day). The syslog message code pointed in the beginning of the query are the one when a user get a private IP and the one when the user session is terminated. It's the best query I can craft for those logs in order to identify users sessions. Since cisco TA 4.0.0 you don't even have tags for VPN sessions anymore.
Are you using the Cisco ASA add-on? You might want to check the Cisco AnyConnect Network Visibility Module (NVM) App for Splunk (https://splunkbase.splunk.com/app/2992/).