All Apps and Add-ons

Cisco ASA 5515 Anyconnect Login stats

New Member

I am new to splunk and I am trying to collect AnyConnect VPN login history for my Cisco ASA 5515x. I am already getting syslog from the firewall (debugging level) and can search on syslog id 722055 to see the individual logins. I have been collecting syslog for about a week so I was wondering if anyone else has tried this and maybe could offer some tips. Search examples, other syslog ids, etc?

0 Karma

Explorer

Hello,

722055 is indeed the event that is showing the client type information for example :

2020-05-04T10:50:13+02:00 10.66.65.70 :May 04 08:49:01 UTC: %ASA-svc-6-722055: Group <xxx> User <xxx> IP <xxx.xxx.xxx.xxx> Client Type: Cisco AnyConnect VPN Agent for Windows 4.8.02042

But if you want to have some login stats for the VPN connections from your company you can also use messageid as 722051 that is the moment from where the user is getting the internal IP (meaning the moment is really connected thought the VPN concentrator) and also the messageid 113019 that is the moment where the connection is terminated with the duration time, etc.

Also, if you have enable full syslog logging from your device you have also message_id 113004 that means that the user has successuffly authenticated :

2020-05-04T10:56:57+02:00 10.66.65.70 :May 04 08:55:45 UTC: %ASA-auth-6-113004: AAA user authentication Successful : server =  xxx.xxx.xxx.xxx : user = xxx

With those type of message_id you can identity connections but also VPN sessions with good custom searches

All those events are well extrated by the cisco asa TA (https://splunkbase.splunk.com/app/1620/)

The cisco web have all the syslog messageid definition here : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/bsyslog.html

And we have identified those message_id that are relevant for VPN :

113004
113005
113008
113009
113010
113019
113039
713049
713119
716001
716002
716058
716059
722011
722012
722022
722023
722028
722032
722033
722034
722037
722041
722051
722055
734001
737006
737016
737026

Cheers,

Vince

Ultra Champion

Hi @vince135
If you do transaction or stats by sessions, Is the key user ? or another one?

0 Karma

Explorer

Definitively user is the key for those VPN logs.

In the case of cisco related devices I have made a query like this (it's embedded in a dashboard...) :

index=myciscoindex user=$field2$ Cisco_ASA_message_id=722051 OR Cisco_ASA_message_id=113019 NOT "AnyConnect-Parent"
| transaction user endswith="Duration:" keepevicted=true
| eval full_duration = duration_hour."h".duration_minute."m".duration_second."s"
| eval bytesMB=round(((bytes/1024)/1024),2), bytes_inMB=round(((bytes_in/1024)/1024),2), bytes_outMB=round(((bytes_out/1024)/1024),2)
| eval Start_time=strftime(_time,"%Y/%m/%d %H:%M:%S"), End_time=(strftime(_time + duration,"%Y/%m/%d %H:%M:%S")), Total_time=if(isnull(full_duration), Start_time." --> current session",Start_time." --> ".End_time)
| mvexpand src | iplocation src | eval LocationIP=City.", ".Country
| stats values(host) as host values(Total_time) as "Session Time" values(src) as "PublicIP" values(LocationIP) as LocationIP values(assigned_ip) as "Assigned IP" values(reason) as "Termination Reason" values(bytesMB) as bytesMB values(bytes_inMB) as bytes_inMB values(bytes_outMB) as bytes_outMB values(full_duration) as Duration by _time, user
| sort -_time 
| search PublicIP=* 
| table "Session Time" host user "PublicIP" LocationIP "Assigned IP" "Termination Reason" bytesMB bytes_inMB bytes_outMB Duration

It will give you a table, with the current session of the user selected in a form above. Basically it will give you the moment the user click on connect to his anyconnect client until the timeout of the anyconnect client (pc sleeping) or if the user just shut the session by hand (there can be more than one session by day). The syslog message code pointed in the beginning of the query are the one when a user get a private IP and the one when the user session is terminated. It's the best query I can craft for those logs in order to identify users sessions. Since cisco TA 4.0.0 you don't even have tags for VPN sessions anymore.

Vince

Ultra Champion

thanks @vince135
I understand it well.

I guess that answers it.

0 Karma

Ultra Champion
0 Karma

SplunkTrust
SplunkTrust

Are you using the Cisco ASA add-on? You might want to check the Cisco AnyConnect Network Visibility Module (NVM) App for Splunk (https://splunkbase.splunk.com/app/2992/).

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Rich,

I have the Cisco ASA Plugin installed. But I will also look at the NVM app as well.

0 Karma