All Apps and Add-ons

Does anyone know which syslog event IDs are needed for Splunk to correctly identify login events for VPN on an ASA device?

sorenmaigaard
Path Finder

Hi

We are grabbing data from our Cisco ASA devices successfully. However, no CIM compliant data about VPN logins is created.
My guess is that we are not getting the right syslog events from the ASA.

Does anyone know which syslog event IDs are needed for Splunk to correctly identify login events for VPN on an ASA?

Thanks!
Best
Soren

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

hi,

VPN events:

jcoates-mba:Splunk_TA_cisco-asa jcoates$ pwd
/Users/jcoates/Downloads/Splunk_TA_cisco-asa
jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in vpn
./default/props.conf:41:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722
./default/props.conf:42:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity
./default/props.conf:126:REPORT-vpn = cisco_fw_group, cisco_fw_user, cisco_fw_ip, cisco_fw_disconnect, cisco_fw_dap, cisco_fw_dap_2, cisco_fw_722
./default/props.conf:127:REPORT-vpn-2 = cisco_fw_authentication_action, cisco_fw_session_type, cisco_fw_assigned_ip, cisco_fw_user-identity
./default/transforms.conf:167:# VPN
jcoates-mba:Splunk_TA_cisco-asa jcoates$ 

CIM is looking for tag=network tag=session tag=vpn (http://docs.splunk.com/Documentation/CIM/4.0.0/User/NetworkSessions)

jcoates-mba:Splunk_TA_cisco-asa jcoates$ find . -name *.conf | xargs grep -in tag
./default/eventtypes.conf:3:#tags = authentication
./default/eventtypes.conf:7:#tags = network communicate
./default/eventtypes.conf:11:#tags = attack ids
jcoates-mba:Splunk_TA_cisco-asa jcoates$ cat default/tags.conf 
[eventtype=cisco_connection]
network = enabled
communicate = enabled

[eventtype=cisco_authentication]
authentication = enabled

[eventtype=cisco_intrusion]
attack = enabled
ids = enabled
jcoates-mba:Splunk_TA_cisco-asa jcoates$ 

This looks like it doesn't have VPN support. Can we get some details on the logs? Feel free to contact me offline, I'd like to get some specific samples.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!