Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find live sessions for VPN connections?

yossefn
Path Finder
‎03-16-2020 11:46 PM

I'm looking for a way to present just live sessions for VPN connections (Juniper SSL VPN).
From the actual logs I can't see anything about the "session state", all I have is just the indicators if a session is opened or closed.

Session open log:

Mar 16 19:35:51 x.x.x.x 233 <134>1 2020-03-16T19:35:51+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 19:35:51 - VPN_NAME- [x.x.x.x] username(user_role)[Junos_Users_Role, RDP_Role, WEB_Provision] - Connected to computer_name port 3389

session close log:

Mar 16 21:37:32 x.x.x.x 288 <134>1 2020-03-16T21:37:32+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 21:37:32 - VPN_NAME- [127.0.0.1] username()[] - Closed connection to computer_name port 3389 after 7301 seconds, with 25908389 bytes read (in 33955 chunks) and 3445084 bytes written (in 59766 chunks)

Can anyone help me to determine active \ live sessions?
Thanks in advance!

Reply

to4kawa
Ultra Champion
‎03-17-2020 02:55 AM 
  your search
| stats count(eval(searchmatch("Connected")) as start count(eval(searchmatch("connection")) as stop by user
| eval live = start - end
| where live > 0

If your VPN can't connect over days, search is easy. else ....

Reply

yossefn
Path Finder
‎03-17-2020 04:43 AM

Here is the final search I'm running. Still there is a gap of around 50 sessions between my results and the actual data in the VPN management system. 

index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=@d latest=now()
| stats count(eval(searchmatch("Connected"))) as start count(eval(searchmatch("connection"))) as stop by user
| eval live = start - stop
| where live > 0
0 Karma
Reply

yossefn
Path Finder
‎03-17-2020 05:28 AM

@to4kawa , Thank you for you help! I got better results but still have a gap. any idea?

0 Karma
Reply

to4kawa
Ultra Champion
‎03-17-2020 06:42 AM 
 index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=-2d@d 
 | stats last(juniper_sslvpn_message) as last_message by user
 | search last_message="Connected to *"

search range is more wide and check last message.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-17-2020 02:29 AM

what's username field and time range?
Is there keep-alive log?

0 Karma
Reply

yossefn
Path Finder
‎03-17-2020 02:40 AM

The username field is user, I can't see any keep-alive indicator in the log.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...