Splunk Enterprise Security

How to find live sessions for VPN connections?

yossefn
Path Finder

I'm looking for a way to present just live sessions for VPN connections (Juniper SSL VPN).
From the actual logs I can't see anything about the "session state", all I have is just the indicators if a session is opened or closed.

Session open log:

Mar 16 19:35:51 x.x.x.x 233 <134>1 2020-03-16T19:35:51+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 19:35:51 - VPN_NAME- [x.x.x.x] username(user_role)[Junos_Users_Role, RDP_Role, WEB_Provision] - Connected to computer_name port 3389

session close log:

Mar 16 21:37:32 x.x.x.x 288 <134>1 2020-03-16T21:37:32+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 21:37:32 - VPN_NAME- [127.0.0.1] username()[] - Closed connection to computer_name port 3389 after 7301 seconds, with 25908389 bytes read (in 33955 chunks) and 3445084 bytes written (in 59766 chunks)

Can anyone help me to determine active \ live sessions?
Thanks in advance!

to4kawa
SplunkTrust
SplunkTrust
  your search
| stats count(eval(searchmatch("Connected")) as start count(eval(searchmatch("connection")) as stop by user
| eval live = start - end
| where live > 0

If your VPN can't connect over days, search is easy. else ....

yossefn
Path Finder

Here is the final search I'm running. Still there is a gap of around 50 sessions between my results and the actual data in the VPN management system.

index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=@d latest=now()
| stats count(eval(searchmatch("Connected"))) as start count(eval(searchmatch("connection"))) as stop by user
| eval live = start - stop
| where live > 0
0 Karma

yossefn
Path Finder

@to4kawa , Thank you for you help! I got better results but still have a gap. any idea?

0 Karma

to4kawa
SplunkTrust
SplunkTrust
 index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=-2d@d 
 | stats last(juniper_sslvpn_message) as last_message by user
 | search last_message="Connected to *"

search range is more wide and check last message.

0 Karma

to4kawa
SplunkTrust
SplunkTrust

what's username field and time range?
Is there keep-alive log?

0 Karma

yossefn
Path Finder

The username field is user, I can't see any keep-alive indicator in the log.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!