All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to build a dashboard to monitor Cisco ASA VPN connections in real-time?

gilbou
Explorer
‎02-11-2015 10:04 AM

Hello,

New to Splunk.

I use the Cisco security suite and its up and working. I would like a dashboard that lists active VPN tunnels in real-time, with the ip associated to the client.
In the search, I can find connections opening and closing in real time, i just don't know how to build a dashboard where this information would be well formatted.
Anyone able to provide some info on how to do it please ?

Thanks

Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-14-2015 03:57 PM

There are probably some techniques to make this doable, using transactions and so on. But, I think I will make an alternate suggestion. Use RADIUS accounting as an intermediary. On your ASA device, you can enable RADIUS accounting and send accounting records to a RADIUS server that can then put them into a file or into a MySQL DB.

Once you have the accounting records, they include things that make doing this much easier like unique "session ID" identifiers so that transactions are no longer necessary. If you put the RADIUS accounting into a MySQL DB, then that data is easily turned into a DB-Lookup in splunk and will always show the "current logged in" users quite easily.

0 Karma
Reply

gilbou
Explorer
‎02-12-2015 03:17 AM

Adding the log entries for connection / disconnection:

<182>Feb 12 2015 05:00:39: %ASA-6-713228: Group = VPN-NOMADES, Username = xxxxxx, IP = yyy.yyy.yyy.yyy, Assigned private IP address 172.16.205.46 to remote user

<180>Feb 12 2015 05:01:01: %ASA-4-113019: Group = VPN-NOMADES, Username = xxxxxx, IP = yyy.yyy.yyy.yyy, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:10m:52s, Bytes xmt: 2054971, Bytes rcv: 352098, Reason: Lost Service

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...