Definitively user is the key for those VPN logs.
In the case of cisco related devices I have made a query like this (it's embedded in a dashboard...) :
index=myciscoindex user=$field2$ Cisco_ASA_message_id=722051 OR Cisco_ASA_message_id=113019 NOT "AnyConnect-Parent"
| transaction user endswith="Duration:" keepevicted=true
| eval full_duration = duration_hour."h".duration_minute."m".duration_second."s"
| eval bytesMB=round(((bytes/1024)/1024),2), bytes_inMB=round(((bytes_in/1024)/1024),2), bytes_outMB=round(((bytes_out/1024)/1024),2)
| eval Start_time=strftime(_time,"%Y/%m/%d %H:%M:%S"), End_time=(strftime(_time + duration,"%Y/%m/%d %H:%M:%S")), Total_time=if(isnull(full_duration), Start_time." --> current session",Start_time." --> ".End_time)
| mvexpand src | iplocation src | eval LocationIP=City.", ".Country
| stats values(host) as host values(Total_time) as "Session Time" values(src) as "PublicIP" values(LocationIP) as LocationIP values(assigned_ip) as "Assigned IP" values(reason) as "Termination Reason" values(bytesMB) as bytesMB values(bytes_inMB) as bytes_inMB values(bytes_outMB) as bytes_outMB values(full_duration) as Duration by _time, user
| sort -_time
| search PublicIP=*
| table "Session Time" host user "PublicIP" LocationIP "Assigned IP" "Termination Reason" bytesMB bytes_inMB bytes_outMB Duration
It will give you a table, with the current session of the user selected in a form above. Basically it will give you the moment the user click on connect to his anyconnect client until the timeout of the anyconnect client (pc sleeping) or if the user just shut the session by hand (there can be more than one session by day). The syslog message code pointed in the beginning of the query are the one when a user get a private IP and the one when the user session is terminated. It's the best query I can craft for those logs in order to identify users sessions. Since cisco TA 4.0.0 you don't even have tags for VPN sessions anymore.
... View more
For me the lookup definition is good. In fact, they have completly change the definition and action of this lookup, now all the work is in props.conf file
LOOKUP-cisco_asa_action_lookup_1 = cisco_asa_action_lookup vendor_action as action OUTPUT action, action AS Cisco_ASA_action
LOOKUP-cisco_asa_action_lookup_2 = cisco_asa_action_lookup message_id OUTPUTNEW action, action AS Cisco_ASA_action
The definition is working great and as intended, meaning that the action lookup is re writting the action field already extrated by regex in the transforms.conf. The only issue for me is that the content of "cisco_asa_action_lookup" is wrong and have changed badly.
Maybe you didn't copy the lookup "cisco_asa_action_lookup" when you update your TA ? or maybe it's a right issue (happens very often with lookup and splunk...)
... View more
If you have activated the good level of logging from your cisco device you should have this event id 113019. In this log you have the complete duration of the VPN session + the username etc. The field is also call duration ...
2020-05-04T12:42:54+02:00 10.66.65.70 :May 04 10:41:42 UTC: %FTD-auth-4-113019: Group = RemoteAccessVPN-MUC, Username = xxx, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 2h:50m:01s, Bytes xmt: 21247692, Bytes rcv: 7087992, Reason: Idle Timeout
I mean you can also do transaction between the first IP assignment and this duration event to know the time but I think it's the best way to know the exact session time as this is directly the cisco device that give you that.
... View more
Following the recent update of the cisco asa TA to new major version 4.0.0, we have tested this on a test server with some cisco asa logs copied from our production.
Log extraction is good (even if the props and transforms files have drastically changed) and is more granular than before.
However, we encountered an issue concerning the "action" field that is very important with datamodels and enterprise security because it needs to be formatted like action=allowed OR action=teardown or action=blocked.
In fact, with regex extraction, from the raw logs, cisco asa TA is extracting values like "Deny", "Built" or "Teardown" and then there is a lookup called "cisco_asa_action_lookup" that match those actions and rewrite with the CIM compatibility (allowed, teardown or blocked).
But since 4.0.0 is not the case anymore, I mean the lookup has drastically changed too. Before 4.0.0 , if you take a "Deny" firewall event we had in the lookup the following translation :
and effectively the action field was changed from "deny" to "blocked"
but now we have a lookup with (still with deny for example) :
The workaround for us is to change the values in this lookup in order to be back to normal but I am not sure, is this a missing from the TA developper or is me ? Because the TA is "CIM compliant" but it's seems to not be the case here...
What are your thoughts ?
thanks in advance for the help
... View more
722055 is indeed the event that is showing the client type information for example :
2020-05-04T10:50:13+02:00 10.66.65.70 :May 04 08:49:01 UTC: %ASA-svc-6-722055: Group <xxx> User <xxx> IP <xxx.xxx.xxx.xxx> Client Type: Cisco AnyConnect VPN Agent for Windows 4.8.02042
But if you want to have some login stats for the VPN connections from your company you can also use message_id as 722051 that is the moment from where the user is getting the internal IP (meaning the moment is really connected thought the VPN concentrator) and also the message_id 113019 that is the moment where the connection is terminated with the duration time, etc.
Also, if you have enable full syslog logging from your device you have also message_id 113004 that means that the user has successuffly authenticated :
2020-05-04T10:56:57+02:00 10.66.65.70 :May 04 08:55:45 UTC: %ASA-auth-6-113004: AAA user authentication Successful : server = xxx.xxx.xxx.xxx : user = xxx
With those type of message_id you can identity connections but also VPN sessions with good custom searches
All those events are well extrated by the cisco asa TA (https://splunkbase.splunk.com/app/1620/)
The cisco web have all the syslog message_id definition here : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html
And we have identified those message_id that are relevant for VPN :
... View more