All Apps and Add-ons

How to build a dashboard to monitor Cisco ASA VPN connections in real-time?

gilbou
Explorer

Hello,

New to Splunk.

I use the Cisco security suite and its up and working. I would like a dashboard that lists active VPN tunnels in real-time, with the ip associated to the client.
In the search, I can find connections opening and closing in real time, i just don't know how to build a dashboard where this information would be well formatted.
Anyone able to provide some info on how to do it please ?

Thanks

dwaddle
SplunkTrust
SplunkTrust

There are probably some techniques to make this doable, using transactions and so on. But, I think I will make an alternate suggestion. Use RADIUS accounting as an intermediary. On your ASA device, you can enable RADIUS accounting and send accounting records to a RADIUS server that can then put them into a file or into a MySQL DB.

Once you have the accounting records, they include things that make doing this much easier like unique "session ID" identifiers so that transactions are no longer necessary. If you put the RADIUS accounting into a MySQL DB, then that data is easily turned into a DB-Lookup in splunk and will always show the "current logged in" users quite easily.

0 Karma

gilbou
Explorer

Adding the log entries for connection / disconnection:

<182>Feb 12 2015 05:00:39: %ASA-6-713228: Group = VPN-NOMADES, Username = xxxxxx, IP = yyy.yyy.yyy.yyy, Assigned private IP address 172.16.205.46 to remote user

<180>Feb 12 2015 05:01:01: %ASA-4-113019: Group = VPN-NOMADES, Username = xxxxxx, IP = yyy.yyy.yyy.yyy, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:10m:52s, Bytes xmt: 2054971, Bytes rcv: 352098, Reason: Lost Service

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...