cander611 Absent Member.
Absent Member.
1112 views

ASA VPN Logs

Has anyone had any luck tracking VPN sessions from a Cisco ASA?  I can't find anything in the events it generates that identifies each session so I can have a definitive start/stop for the session list.
0 Likes
Reply
13 Replies
Doug5x9 Absent Member.
Absent Member.

Re: ASA VPN Logs

Hi Chris,

I have not integrated ASA logs with ArcSight, but at a previous job I had a syslog filter on an ASA to capture VPN login events.

On the ASA you can capture specific syslog event IDs, for example a successful VPN login event is 113012.

Here is the exhaustive list:

https://www.cisco.com/en/US/docs/security/asa/asa81/system/message/81logmsg.html

Hope this helps,

Doug

0 Likes
Reply
Highlighted
kgraham Super Contributor.
Super Contributor.

Re: ASA VPN Logs

I have had success on Logger tracking logons.  I have not attempted complete sessions as of yet.   So far I have not transferred that knowledge to ESM.   What type of connection are you attempting to track, SSL Client, Clientless or IPSec?  Are you looking for complete session connection time?

Kim

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: ASA VPN Logs

I have not made use of it but the events are there, you can create a session list and a rule which adds entries to the session list and then terminates them when the vpn sessions ends. With this you should be able to track exactly the time the users were connected and you can keep track of their ip addresses at any time they are connected.

0 Likes
Reply
cander611 Absent Member.
Absent Member.

Re: ASA VPN Logs

I've found a logout event ID that puts the duration of the connection in the devicecustomstring6 field.  It's easy enough to create a report based just on that event ID.  Now to complicate things a little...is there a way to pick a username off that list and add up all the duration times for a specific period. 

For example if someone says they are going to work from home could I run a report to show how long they were logged in that day.  I could manually add up all the duration times for that user on that day, but is there a way to have ArcSight do it for me?

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: ASA VPN Logs

Yes it is possible.

What would a specific period be in your case?

0 Likes
Reply
cander611 Absent Member.
Absent Member.

Re: ASA VPN Logs

I'd like to do it by day.  For example, on Monday this user logged into VPN 6 times for a total of 1 hour 45 minutes.

The syslog output would show 6 events with duration times totaling 1 hour 45 minutes.

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: ASA VPN Logs

I think you don't even need a session list for this. The ASA VPN events themselves should have the duration and all you have to do and to sum it.

You may want to create a trend and run the report from it.

Have a look and let me know how you went.

0 Likes
Reply
cander611 Absent Member.
Absent Member.

Re: ASA VPN Logs

I have a query built to filter for the event ID and pull the username, ip, and duration fields.  I set up a trend to use that query.  How do I set it up to SUM the time field?

0 Likes
Reply
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: ASA VPN Logs

You should be able to convert it to minutes and then sum it.

To be honest I cannot remember if there was a way to convert it, it think you can use a variabled to do it.

0 Likes
Reply
dkeller Outstanding Contributor.
Outstanding Contributor.

Re: ASA VPN Logs

Chris,

If the duration is in a deviceCustomString field you first have to convert it to a number by using the stringToInteger or stringToDouble variable. 

Select all the fields you want to show on the report, including the variable you created. Group on all these fields, except on the variable. In the SELECT statement apply the function SUM to the variable. Order by your choice of fields.

This should give you what you are looking for. You can play with the grouping feature at the report level to make the report more interesting and understandable.

HTH,

Doron

0 Likes
Reply
aneeshpskadavil1 Honored Contributor.
Honored Contributor.

Re: ASA VPN Logs

Hi Chris,

We have the ASA Vpn integrated to Arcsight.I need some help in working out the User tarcking evnts for ASA.Now when i am looking at the logs it full of some technical terms that i am not very much aware.I am very much new to the arcsight and security.Any information you can share with me will be of great help.I have tried reading the log message details but it too long to understand. I will be specially interested in in the login and log off events to start with some thing.

Please help me on this,

Thanks and regards,

Aneesh Salimkumar

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.