Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco Security Suite & VPN Statistics

cellison
Explorer
‎12-09-2013 07:30 AM

I have data coming in via UDP port #514 and I changed the REGEX to "%ASA-\d+-\d+" and I now have data coming in to the Cisco Security Suite.

I use the following search to obtain data for VPN: "process="%ASA-5-722033" sourcetype=syslog"

This will give me a list of TCP and UDP connections along with the VPN user etc. However, what I really need is to be able to see the total RX & TX for the time period I specify for each user.

Can anyone help with this? Is there a way to get the output to be in a graphical representation?

Thank you all very much.

Reply

cellison
Explorer
‎12-09-2013 08:44 AM

I think I may have figured out a way to get the info I was searching for. However, I'd like some feedback to see if I am interpreting the data correctly.

I put together this search: source="udp:514" sourcetype="syslog" index="main" "username" "DefaultWEBVPNGroup"

Then I specify a date parameter and it looks like I get what I need. It appears that I get the initial VPN session connection and then I also get the disconnect if it is in the same time period I searched for. In that disconnect event, it has "Bytes xmt & Bytes rcv."

Am I correct in my intrepretation that this was the total data transmitted and received for that VPN session?

Here is a sample output:

Dec 8 16:50:46 10.110.255.1 Dec 08 2013 16:52:03 ASA : %ASA-4-113019: Group = DefaultWEBVPNGroup, Username = ********, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:14m:47s, Bytes xmt: 1651278, Bytes rcv: 289109, Reason: User Requested

Thanks for any input.

0 Karma
Reply

cellison
Explorer
‎12-09-2013 09:01 AM

Thanks for changing the title. No matter what captcha I tried when doing an update, it would not pass. However, I could comment just fine and the captcha would work.

Do you perhaps know of a way to get this data in a chart form showing the TX and RX?

0 Karma
Reply

halr9000
Motivator
‎12-09-2013 08:48 AM

Your interpretation certainly makes sense. Maybe there's some doc from Cisco that would shed some real light.

0 Karma
Reply

cellison
Explorer
‎12-09-2013 07:38 AM

Sorry for the wrong title. It should be "Cisco Security Suite & VPN Statistics." I have tried updating the title, but can not get past any of the reCaptch security phrases. Bug perhaps?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...