Hi,
I am creating a search to find the users that are actually connected with VPN. In the Cisco logs, I can only see the the events of connect
or disconnect
.
I have created a search with append
to join two searches, but the results show how many times the user has connected and disconnected.
My search:
index=my_index %ASA-6-113004 | rex field=_raw ".*:\s+AAA\s+(?[^:]+).*user\s+=\s+(?[^$]+)" | rename user_connected AS user | top user showperc=false | append [search index=firewall %ASA-4-113019 | rex field=_raw ".*Username\s+=\s+(?[^,]+).*,\s+(?[^.]+)" | rename user_disconnected as user | top user showperc=false]
and the result is:
user count
test 3 (number of times is disconnected)
test 4 (number of times is connected)
How I can create a search only show the users actually connected?
thanks
This is the search I use for our ASA:
<yoursearch>
| transaction fields="user" maxspan=12h30m connected=f startswith="*connection established*"
| search eventtype!=cisco_vpn_end
| dedup user
This assumes you've downloaded the Cisco ASA TA. It also assumes that your users are limited to 12.5hr sessions before they timeout. You would need to adjust that to whatever the timeout for user sessions is.
I just tried this and it's showing sessions that have finished. Im trying to get a count for how many currently connected. ideas?
You need to fix the rex
commands which did not get copied/saved correctly when you posted your search, but after that, like this:
(index=my_index %ASA-6-113004) OR (index=firewall %ASA-4-113019)
| rex ".*:\s+AAA\s+(?[^:]+).*user\s+=\s+(?[^$]+)" | rename user_connected AS user
| rex ".*Username\s+=\s+(?[^,]+).*,\s+(?[^.]+)" | rename user_disconnected as user
| dedup user
| connected = if((index=firewall), "No", "Yes")
| table user connected
It looks like your subsearch is looking for disconnects? Do you need to be searching for that part if you're only concerned with connections?
Also do you have the Splunk Add-on for Cisco ASA installed? That will alleviate the need for regular expressions:
yes, subsearch is looking for disconnects.
I need connections and disconnections.
If i have in the last 24 hours, 3 connections and 2 disconnections. I have to subtract the disconnections to connections. The result is 1, the user is connected. If the result is 0 the user is not connected.
the app of cisco asa not working. The regular expressions are done.
thanks
regards
If no data is being extracted for your Cisco ASA logs you might want to review how it was installed, as there are a lot of great extractions with that add-on, including ones for users but I understand that is a separate problem.
For solving this you might want to look at the transaction command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction) as it is designed to do some of what you're trying to do here, just without the headaches of subsearches.
Can you maybe give us an explanation of what the search you've created is trying to do? Are you just looking for connection attempts in your VPN logs?
Hi ryan, thanks to answer.
I am trying to create a search for show the users are connected actually by vpn.
But i have users than has various connections and disconnections during the day.