Splunk Enterprise Security

How to find live sessions for VPN connections?

yossefn
Path Finder

I'm looking for a way to present just live sessions for VPN connections (Juniper SSL VPN).
From the actual logs I can't see anything about the "session state", all I have is just the indicators if a session is opened or closed.

Session open log:

Mar 16 19:35:51 x.x.x.x 233 <134>1 2020-03-16T19:35:51+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 19:35:51 - VPN_NAME- [x.x.x.x] username(user_role)[Junos_Users_Role, RDP_Role, WEB_Provision] - Connected to computer_name port 3389

session close log:

Mar 16 21:37:32 x.x.x.x 288 <134>1 2020-03-16T21:37:32+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 21:37:32 - VPN_NAME- [127.0.0.1] username()[] - Closed connection to computer_name port 3389 after 7301 seconds, with 25908389 bytes read (in 33955 chunks) and 3445084 bytes written (in 59766 chunks)

Can anyone help me to determine active \ live sessions?
Thanks in advance!

to4kawa
Ultra Champion
  your search
| stats count(eval(searchmatch("Connected")) as start count(eval(searchmatch("connection")) as stop by user
| eval live = start - end
| where live > 0

If your VPN can't connect over days, search is easy. else ....

yossefn
Path Finder

Here is the final search I'm running. Still there is a gap of around 50 sessions between my results and the actual data in the VPN management system.

index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=@d latest=now()
| stats count(eval(searchmatch("Connected"))) as start count(eval(searchmatch("connection"))) as stop by user
| eval live = start - stop
| where live > 0
0 Karma

yossefn
Path Finder

@to4kawa , Thank you for you help! I got better results but still have a gap. any idea?

0 Karma

to4kawa
Ultra Champion
 index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=-2d@d 
 | stats last(juniper_sslvpn_message) as last_message by user
 | search last_message="Connected to *"

search range is more wide and check last message.

0 Karma

to4kawa
Ultra Champion

what's username field and time range?
Is there keep-alive log?

0 Karma

yossefn
Path Finder

The username field is user, I can't see any keep-alive indicator in the log.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...