All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco ASA: How to display a table with information about start and end, and the total time of the user on the network?

Zhanali
Path Finder
‎04-16-2021 04:35 AM

Cisco ASA VPN monitoring:

I haven't been able to finish this case for a week now. I need to display a table with information about start and end, and the total time of the user on the network.

With the information that I collected and displayed in the table, it was like this:

 

 

 

sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 OR message_id=722037 OR message_id=722028 OR message_id=722010 zhanali
| eval session_info = case((message_id = "113019" OR message_id = "722011" OR message_id = "722010"), "session_end",message_id="722051", "session_start",message_id="722037" OR message_id = "722028","session_close")
| eval start = if((session_info = "session_start"),_time,"null")
| eval end = if((session_info = "session_end"),_time,"null")
| eval close = if((session_info = "session_close"),_time,"null")
| table Cisco_ASA_user session_info start end close
| convert ctime(start) ctime(end) ctime(close)

 

 

 

Zhanali_0-1618570328123.png

I need to somehow leave one line from the close lines that appear sequentially. Better to leave the first in time.

Zhanali_1-1618571514377.png

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:24 PM

Hi all! I forgot about this post. I decided with the simplest way, the start of the session is determined using the duration. Because I learned about the logs that the duration is sent when the session really was.

index="cisco_syslog" sourcetype="cisco:asa" message_id=113019 
| eval start_time =_time-duration, end_time = _time 
| sort -start_time
| table dvc group user src_ip start_time end_time duration
| eval duration = tostring(duration, "duration")
| convert timeformat="%H:%M:%S %d.%m.%Y" ctime(start_time) ctime(end_time)

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:24 PM

Hi all! I forgot about this post. I decided with the simplest way, the start of the session is determined using the duration. Because I learned about the logs that the duration is sent when the session really was.

index="cisco_syslog" sourcetype="cisco:asa" message_id=113019 
| eval start_time =_time-duration, end_time = _time 
| sort -start_time
| table dvc group user src_ip start_time end_time duration
| eval duration = tostring(duration, "duration")
| convert timeformat="%H:%M:%S %d.%m.%Y" ctime(start_time) ctime(end_time)

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 11:28 PM

The events are currently separate events in the pipeline - is there anything in the data that can be used to correlate the events to determine if more than one close event is present? Or do you simply want to use _time to sequence the events?

sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 OR message_id=722037 OR message_id=722028 OR message_id=722010 zhanali
| eval session_info = case((message_id = "113019" OR message_id = "722011" OR message_id = "722010"), "session_end",message_id="722051", "session_start",message_id="722037" OR message_id = "722028","session_close")
| eval start = if((session_info = "session_start"),_time,"null")
| eval end = if((session_info = "session_end"),_time,"null")
| eval close = if((session_info = "session_close"),_time,"null")
| table Cisco_ASA_user session_info start end close
| sort _time
| streamstats values(session_info) as previous_session_info current=f window=2
| where previous_session_info != "session_close" OR session_info != "session_close"
| convert ctime(start) ctime(end) ctime(close)
0 Karma
Reply
Solved! Jump to solution

NitLino
New Member
‎03-08-2022 09:12 AM

Hello Zhanali, 

I am also building something similar. were you able to complete your syntax?

0 Karma
Reply
Solved! Jump to solution

Zhanali
Path Finder
‎03-10-2022 10:20 PM 
sourcetype=cisco:asa message_id=722051 OR message_id=113019 OR message_id=722011 OR message_id=722037 OR message_id=722028 OR message_id=722010 "MyUserName"
| eval session_info = case((message_id = "113019" OR message_id = "722011" OR message_id = "722010"), "session_end",message_id="722051", "session_start",(message_id="722037" OR message_id = "722028"),"session_close")
| eval start = if((session_info = "session_start"),_time,"null")
| eval end = if((session_info = "session_end"),_time,"null")
| eval close = if((session_info = "session_close"),_time,"null")
| sort - _time
| table _time Cisco_ASA_user session_info start end close duration
| eval duration = tostring(duration, "duration")
| convert ctime(start) ctime(end) ctime(close)

 

This issue was not resolved, but for this situation I found a way out.
If you look at the results of this query, it turns out that the event with duration field indicates a break of the session. This is what I used to calculate the session start time.

Zhanali_0-1646978643148.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top