Splunk Search
Highlighted

How to calculate cisco asa VPN session duration time

Communicator

Here's the cisco asa logs I have coming in broken down by eventype=ciscovpnstart and ciscovpnend

index=csco sourcetype=cisco:asa eventtype=cisco_vpn_start
2018-10-31 12:45:35,Local4.Info,192.30.254.2,%ASA-6-722022: Group <Company_Anyconnect_Users> User <myuser> IP <192.168.110.200> UDP SVC connection established without compression

index=csco sourcetype=cisco:asa eventtype=cisco_vpn_end
2018-10-31 13:01:30,Local4.Info,192.31.254.2,%ASA-6-722023: Group <Company_Anyconnect_Users> User <myuser> IP <192.168.60.130> UDP SVC connection terminated without compression

My failed and overly complicated attempt at calculating the session duration

|multisearch
[search index=csco sourcetype="cisco:asa" eventtype="ciscovpnstart" srcip=* user=*
| eval vpn
start = strftime(time, "%m/%d/%Y %I:%M %p")]
[search index=csco sourcetype="cisco:asa" eventtype="cisco
vpnend" srcip=* user=*
| eval vpnend = strftime(time, "%m/%d/%Y %I:%M %p")]
| stats values(vpnstart) as vpnstart, values(vpnend) as vpnend by srcip, user
| eval diff
inminutes=(vpnstart-vpnend)/60
| table vpn
start, vpnend, duration, diffinminutes, user, srcip

0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

Communicator
0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

SplunkTrust
SplunkTrust

@johnward4,

Try this ,

index=csco sourcetype="cisco:asa" (eventtype="cisco_vpn_start" OR  eventtype="cisco_vpn_end") src_ip=* user=*
|stats earliest(_time) as vpn_start,latest(_time) as vpn_end by user, src_ip
|eval diff_in_minutes=(vpn_start-vpn_end)/60

Note : above might not work if you have multiple sessions for the same user and source ip for the time range you select.
In that case we might need to consider session id (if available) or use transaction with a time interval

PS:There might be a duration value in the ASA logs, I don't remember though

0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

Communicator

@renjith.nair Thank you! This is the query I'm using right now and I'm hoping you may know a tweak to be able to list each session by a user with that sessions duration time like a stats list or values to group that info

index=network sourcetype=cisco:asa (eventype="cisco_vpn_start" OR eventtype="cisco_vpn_end") src_ip=* user=* 
| stats earliest(_time) as vpn_start,latest(_time) as vpn_end by user, src_ip
| eval diff_in_minutes=(vpn_end-vpn_start)/60, duration = round(diff_in_minutes,2)
| eval vpn_logon = strftime(vpn_start, "%m/%d/%Y:%H:%M:%S"), vpn_logoff = strftime(vpn_end, "%m/%d/%Y:%H:%M:%S")
| strcat duration " mins" session_duration
| fields - vpn_start, vpn_end, diff_in_minutes, duration
| table user, src_ip, vpn_logon, vpn_logoff, session_duration
| sort - _time
0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

SplunkTrust
SplunkTrust

@johnward4, not sure if i get it correctly but now you havae each user and corresponding session_duration. Is it possible to provide a dummy sample output?

0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

Communicator

I'd like to be able to group all of the users sessions, session duration, and when they logged on and off of those sessions in a stats list or values table representation.

0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

SplunkTrust
SplunkTrust

Is there a session id in your events or do you want to group by user? For example , if your current output is below, how do you want the grouping?

user    src_ip      vpn_logon   vpn_logoff session_duration
----------------------------------------------------------------------------
User1   1.1.1.0     10:00       10:10   10 mins 
User1   1.1.1.1     11:10       11:15   05 mins
User2   2.1.1.1     11:30       11:50   20 mins
0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

Path Finder

Hi @johnward4,

Did you ever get the search to work? I'm currently going through the same process and wonder if you can share the answer if possible 🙂 Thanks.

0 Karma
Highlighted

Re: How to calculate cisco asa VPN session duration time

Explorer

Hi there,

If you have activated the good level of logging from your cisco device you should have this event id 113019. In this log you have the complete duration of the VPN session + the username etc. The field is also call duration ...

index=myciscoindex Cisco_ASA_message_id=113019

2020-05-04T12:42:54+02:00 10.66.65.70 :May 04 10:41:42 UTC: %FTD-auth-4-113019: Group = RemoteAccessVPN-MUC, Username = xxx, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 2h:50m:01s, Bytes xmt: 21247692, Bytes rcv: 7087992, Reason: Idle Timeout

I mean you can also do transaction between the first IP assignment and this duration event to know the time but I think it's the best way to know the exact session time as this is directly the cisco device that give you that.

cheers

Vince