Splunk Search

How to write a search to find users that are actually connected with VPN from Cisco logs?

New Member

Hi,

I am creating a search to find the users that are actually connected with VPN. In the Cisco logs, I can only see the the events of connect or disconnect.

I have created a search with append to join two searches, but the results show how many times the user has connected and disconnected.

My search:

index=my_index %ASA-6-113004 | rex field=_raw ".*:\s+AAA\s+(?[^:]+).*user\s+=\s+(?[^$]+)" | rename user_connected AS user | top user showperc=false | append [search index=firewall %ASA-4-113019 | rex field=_raw ".*Username\s+=\s+(?[^,]+).*,\s+(?[^.]+)" | rename user_disconnected as user | top user showperc=false]

and the result is:

user            count
test                3      (number of times is disconnected)
test                4      (number of times is connected)

How I can create a search only show the users actually connected?

thanks

0 Karma

Communicator

This is the search I use for our ASA:

<yoursearch>
| transaction fields="user" maxspan=12h30m connected=f startswith="*connection established*" 
| search eventtype!=cisco_vpn_end
| dedup user 

This assumes you've downloaded the Cisco ASA TA. It also assumes that your users are limited to 12.5hr sessions before they timeout. You would need to adjust that to whatever the timeout for user sessions is.

Engager

I just tried this and it's showing sessions that have finished. Im trying to get a count for how many currently connected. ideas?

0 Karma

Esteemed Legend

You need to fix the rex commands which did not get copied/saved correctly when you posted your search, but after that, like this:

(index=my_index %ASA-6-113004) OR (index=firewall %ASA-4-113019)
| rex ".*:\s+AAA\s+(?[^:]+).*user\s+=\s+(?[^$]+)" | rename user_connected AS user
| rex ".*Username\s+=\s+(?[^,]+).*,\s+(?[^.]+)" | rename user_disconnected as user
| dedup user
| connected = if((index=firewall), "No", "Yes")
| table user connected
0 Karma

Builder

It looks like your subsearch is looking for disconnects? Do you need to be searching for that part if you're only concerned with connections?

Also do you have the Splunk Add-on for Cisco ASA installed? That will alleviate the need for regular expressions:

https://splunkbase.splunk.com/app/1620/

0 Karma

New Member

yes, subsearch is looking for disconnects.

I need connections and disconnections.

If i have in the last 24 hours, 3 connections and 2 disconnections. I have to subtract the disconnections to connections. The result is 1, the user is connected. If the result is 0 the user is not connected.

the app of cisco asa not working. The regular expressions are done.

thanks

regards

0 Karma

Builder

If no data is being extracted for your Cisco ASA logs you might want to review how it was installed, as there are a lot of great extractions with that add-on, including ones for users but I understand that is a separate problem.

For solving this you might want to look at the transaction command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction) as it is designed to do some of what you're trying to do here, just without the headaches of subsearches.

0 Karma

Builder

Can you maybe give us an explanation of what the search you've created is trying to do? Are you just looking for connection attempts in your VPN logs?

0 Karma

New Member

Hi ryan, thanks to answer.

I am trying to create a search for show the users are connected actually by vpn.

But i have users than has various connections and disconnections during the day.

0 Karma