Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cisco Security Suite & VPN Statistics

cellison
Explorer
‎12-09-2013 07:30 AM

I have data coming in via UDP port #514 and I changed the REGEX to "%ASA-\d+-\d+" and I now have data coming in to the Cisco Security Suite.

I use the following search to obtain data for VPN: "process="%ASA-5-722033" sourcetype=syslog"

This will give me a list of TCP and UDP connections along with the VPN user etc. However, what I really need is to be able to see the total RX & TX for the time period I specify for each user.

Can anyone help with this? Is there a way to get the output to be in a graphical representation?

Thank you all very much.

Reply

cellison
Explorer
‎12-09-2013 08:44 AM

I think I may have figured out a way to get the info I was searching for. However, I'd like some feedback to see if I am interpreting the data correctly.

I put together this search: source="udp:514" sourcetype="syslog" index="main" "username" "DefaultWEBVPNGroup"

Then I specify a date parameter and it looks like I get what I need. It appears that I get the initial VPN session connection and then I also get the disconnect if it is in the same time period I searched for. In that disconnect event, it has "Bytes xmt & Bytes rcv."

Am I correct in my intrepretation that this was the total data transmitted and received for that VPN session?

Here is a sample output:

Dec 8 16:50:46 10.110.255.1 Dec 08 2013 16:52:03 ASA : %ASA-4-113019: Group = DefaultWEBVPNGroup, Username = ********, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:14m:47s, Bytes xmt: 1651278, Bytes rcv: 289109, Reason: User Requested

Thanks for any input.

0 Karma
Reply

cellison
Explorer
‎12-09-2013 09:01 AM

Thanks for changing the title. No matter what captcha I tried when doing an update, it would not pass. However, I could comment just fine and the captcha would work.

Do you perhaps know of a way to get this data in a chart form showing the TX and RX?

0 Karma
Reply

halr9000
Motivator
‎12-09-2013 08:48 AM

Your interpretation certainly makes sense. Maybe there's some doc from Cisco that would shed some real light.

0 Karma
Reply

cellison
Explorer
‎12-09-2013 07:38 AM

Sorry for the wrong title. It should be "Cisco Security Suite & VPN Statistics." I have tried updating the title, but can not get past any of the reCaptch security phrases. Bug perhaps?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...