All Apps and Add-ons

Cisco ASA 5515 Anyconnect Login stats

ehutchinson
New Member

I am new to splunk and I am trying to collect AnyConnect VPN login history for my Cisco ASA 5515x. I am already getting syslog from the firewall (debugging level) and can search on syslog id 722055 to see the individual logins. I have been collecting syslog for about a week so I was wondering if anyone else has tried this and maybe could offer some tips. Search examples, other syslog ids, etc?

0 Karma

vince135
Explorer

Hello,

722055 is indeed the event that is showing the client type information for example :

2020-05-04T10:50:13+02:00 10.66.65.70 :May 04 08:49:01 UTC: %ASA-svc-6-722055: Group <xxx> User <xxx> IP <xxx.xxx.xxx.xxx> Client Type: Cisco AnyConnect VPN Agent for Windows 4.8.02042

But if you want to have some login stats for the VPN connections from your company you can also use message_id as 722051 that is the moment from where the user is getting the internal IP (meaning the moment is really connected thought the VPN concentrator) and also the message_id 113019 that is the moment where the connection is terminated with the duration time, etc.

Also, if you have enable full syslog logging from your device you have also message_id 113004 that means that the user has successuffly authenticated :

2020-05-04T10:56:57+02:00 10.66.65.70 :May 04 08:55:45 UTC: %ASA-auth-6-113004: AAA user authentication Successful : server =  xxx.xxx.xxx.xxx : user = xxx

With those type of message_id you can identity connections but also VPN sessions with good custom searches

All those events are well extrated by the cisco asa TA (https://splunkbase.splunk.com/app/1620/)

The cisco web have all the syslog message_id definition here : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html

And we have identified those message_id that are relevant for VPN :

113004
113005
113008
113009
113010
113019
113039
713049
713119
716001
716002
716058
716059
722011
722012
722022
722023
722028
722032
722033
722034
722037
722041
722051
722055
734001
737006
737016
737026

Cheers,

Vince

to4kawa
Ultra Champion

Hi @vince135
If you do transaction or stats by sessions, Is the key user ? or another one?

0 Karma

vince135
Explorer

Definitively user is the key for those VPN logs.

In the case of cisco related devices I have made a query like this (it's embedded in a dashboard...) :

index=myciscoindex user=$field2$ Cisco_ASA_message_id=722051 OR Cisco_ASA_message_id=113019 NOT "AnyConnect-Parent"
| transaction user endswith="Duration:" keepevicted=true
| eval full_duration = duration_hour."h".duration_minute."m".duration_second."s"
| eval bytesMB=round(((bytes/1024)/1024),2), bytes_inMB=round(((bytes_in/1024)/1024),2), bytes_outMB=round(((bytes_out/1024)/1024),2)
| eval Start_time=strftime(_time,"%Y/%m/%d %H:%M:%S"), End_time=(strftime(_time + duration,"%Y/%m/%d %H:%M:%S")), Total_time=if(isnull(full_duration), Start_time." --> current session",Start_time." --> ".End_time)
| mvexpand src | iplocation src | eval LocationIP=City.", ".Country
| stats values(host) as host values(Total_time) as "Session Time" values(src) as "PublicIP" values(LocationIP) as LocationIP values(assigned_ip) as "Assigned IP" values(reason) as "Termination Reason" values(bytesMB) as bytesMB values(bytes_inMB) as bytes_inMB values(bytes_outMB) as bytes_outMB values(full_duration) as Duration by _time, user
| sort -_time 
| search PublicIP=* 
| table "Session Time" host user "PublicIP" LocationIP "Assigned IP" "Termination Reason" bytesMB bytes_inMB bytes_outMB Duration

It will give you a table, with the current session of the user selected in a form above. Basically it will give you the moment the user click on connect to his anyconnect client until the timeout of the anyconnect client (pc sleeping) or if the user just shut the session by hand (there can be more than one session by day). The syslog message code pointed in the beginning of the query are the one when a user get a private IP and the one when the user session is terminated. It's the best query I can craft for those logs in order to identify users sessions. Since cisco TA 4.0.0 you don't even have tags for VPN sessions anymore.

Vince

eholz1
Contributor

Hello All,

This post is interesting. I am trying to get a count and/or a list of users currently logged on on an ASA. I see that the time range is critical. I see where message 113004 is logins, and messages 113019,716002, and 722023 are logouts of some sort. I thought (this now seems not correct) that if I subtract the logouts from the log ins - say for the last 24 hours, I would get current users. No dice. So I must be missing something. If I enable the Splunk TA plugin for Cisco ASA, will I be able to get a count or listing or both of users logged in?

 

Thanks for a great source of information,

eholz1 -Spunk and ASA user

0 Karma

to4kawa
Ultra Champion

thanks @vince135
I understand it well.

I guess that answers it.

0 Karma

to4kawa
Ultra Champion
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you using the Cisco ASA add-on? You might want to check the Cisco AnyConnect Network Visibility Module (NVM) App for Splunk (https://splunkbase.splunk.com/app/2992/).

---
If this reply helps you, Karma would be appreciated.
0 Karma

ehutchinson
New Member

Rich,

I have the Cisco ASA Plugin installed. But I will also look at the NVM app as well.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...