I am new to splunk and I am trying to collect AnyConnect VPN login history for my Cisco ASA 5515x. I am already getting syslog from the firewall (debugging level) and can search on syslog id 722055 to see the individual logins. I have been collecting syslog for about a week so I was wondering if anyone else has tried this and maybe could offer some tips. Search examples, other syslog ids, etc?
Hello,
722055 is indeed the event that is showing the client type information for example :
2020-05-04T10:50:13+02:00 10.66.65.70 :May 04 08:49:01 UTC: %ASA-svc-6-722055: Group <xxx> User <xxx> IP <xxx.xxx.xxx.xxx> Client Type: Cisco AnyConnect VPN Agent for Windows 4.8.02042
But if you want to have some login stats for the VPN connections from your company you can also use message_id as 722051 that is the moment from where the user is getting the internal IP (meaning the moment is really connected thought the VPN concentrator) and also the message_id 113019 that is the moment where the connection is terminated with the duration time, etc.
Also, if you have enable full syslog logging from your device you have also message_id 113004 that means that the user has successuffly authenticated :
2020-05-04T10:56:57+02:00 10.66.65.70 :May 04 08:55:45 UTC: %ASA-auth-6-113004: AAA user authentication Successful : server = xxx.xxx.xxx.xxx : user = xxx
With those type of message_id you can identity connections but also VPN sessions with good custom searches
All those events are well extrated by the cisco asa TA (https://splunkbase.splunk.com/app/1620/)
The cisco web have all the syslog message_id definition here : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
And we have identified those message_id that are relevant for VPN :
113004
113005
113008
113009
113010
113019
113039
713049
713119
716001
716002
716058
716059
722011
722012
722022
722023
722028
722032
722033
722034
722037
722041
722051
722055
734001
737006
737016
737026
Cheers,
Vince
Hi @vince135
If you do transaction
or stats by
sessions, Is the key user ? or another one?
Definitively user is the key for those VPN logs.
In the case of cisco related devices I have made a query like this (it's embedded in a dashboard...) :
index=myciscoindex user=$field2$ Cisco_ASA_message_id=722051 OR Cisco_ASA_message_id=113019 NOT "AnyConnect-Parent"
| transaction user endswith="Duration:" keepevicted=true
| eval full_duration = duration_hour."h".duration_minute."m".duration_second."s"
| eval bytesMB=round(((bytes/1024)/1024),2), bytes_inMB=round(((bytes_in/1024)/1024),2), bytes_outMB=round(((bytes_out/1024)/1024),2)
| eval Start_time=strftime(_time,"%Y/%m/%d %H:%M:%S"), End_time=(strftime(_time + duration,"%Y/%m/%d %H:%M:%S")), Total_time=if(isnull(full_duration), Start_time." --> current session",Start_time." --> ".End_time)
| mvexpand src | iplocation src | eval LocationIP=City.", ".Country
| stats values(host) as host values(Total_time) as "Session Time" values(src) as "PublicIP" values(LocationIP) as LocationIP values(assigned_ip) as "Assigned IP" values(reason) as "Termination Reason" values(bytesMB) as bytesMB values(bytes_inMB) as bytes_inMB values(bytes_outMB) as bytes_outMB values(full_duration) as Duration by _time, user
| sort -_time
| search PublicIP=*
| table "Session Time" host user "PublicIP" LocationIP "Assigned IP" "Termination Reason" bytesMB bytes_inMB bytes_outMB Duration
It will give you a table, with the current session of the user selected in a form above. Basically it will give you the moment the user click on connect to his anyconnect client until the timeout of the anyconnect client (pc sleeping) or if the user just shut the session by hand (there can be more than one session by day). The syslog message code pointed in the beginning of the query are the one when a user get a private IP and the one when the user session is terminated. It's the best query I can craft for those logs in order to identify users sessions. Since cisco TA 4.0.0 you don't even have tags for VPN sessions anymore.
Vince
Hello All,
This post is interesting. I am trying to get a count and/or a list of users currently logged on on an ASA. I see that the time range is critical. I see where message 113004 is logins, and messages 113019,716002, and 722023 are logouts of some sort. I thought (this now seems not correct) that if I subtract the logouts from the log ins - say for the last 24 hours, I would get current users. No dice. So I must be missing something. If I enable the Splunk TA plugin for Cisco ASA, will I be able to get a count or listing or both of users logged in?
Thanks for a great source of information,
eholz1 -Spunk and ASA user
thanks @vince135
I understand it well.
I guess that answers it.
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/about.html
What are you going to calculation?
Are you using the Cisco ASA add-on? You might want to check the Cisco AnyConnect Network Visibility Module (NVM) App for Splunk (https://splunkbase.splunk.com/app/2992/).
Rich,
I have the Cisco ASA Plugin installed. But I will also look at the NVM app as well.