Redirect VPN Loggin/Logoff session logs to syslog server

foued kh · ‎01-10-2017

Hi all,

The problem that I'm facing is how to have a trace about vpn session that are opened throw our asa5515-x and put them in readable file like csv file so that IT Administrator can use it.

Syslog Software like kiwi deliver logs but these are not readable only by an expert so he can extract all message related to login/logoff VPN session.

Also Open source solutions of syslog like Graylog, Ossim, ELK, .. etc are also not dedicated for this purpose.

CLI command that can show as the active VPN session opened by (Anyconnect, VPN lient and site2site) are as below :

show vpn-sessiondb remote

show vpn-sessiondb anyconnect

show vpn-sessiondb l2l

The problem of this command is that they delivered only result of the current time when we execute the command but what we need is loggs from any time that I need.
I think that the only solution is to develop a script that can launch these commands and save the result in readable file so IT administrator can manipulate it as archive document.

Please if you have any advice or suggestion, let me know.
Best regards,

Mark Malone · ‎01-10-2017

You can create a script in new ASA software 9.2.1 an up with an EEM script , see the EEM section on this forum has some good scripts pre built you could probably manipulate to what you need as an option

foued kh · ‎01-10-2017

Thank you a lot Mr. Mark but can you explain me more what do you mean by "You can create a script in new ASA software 9.2.1"

Mark Malone · ‎01-10-2017

You can create an EEM script to run automatically based on actions or settings in the ASA itself to run all thee commands and send them by email or send them to flash in the ASA to be extracted , is that what your trying to do ? I do it in IOS when im trying to capture real time issue with CPU

foued kh · ‎01-10-2017

I understand now what do you mean but I don't know if it will help me.
My goal is to have afile which indicate all vpn session opened throm my ASA.
The problem is that "show command" only deliver output in real time but to deliver history of seesion opened from, for example, one mounth is not possible.
Do you think that EEM script will guarantee my needs?

Mark Malone · ‎01-10-2017

Ah I see what your trying to do , The only way I would think the EEM script may work is if you set the commands to run every couple of hours each day for a month keep sending it to the same text file in flash and then extract or email it to your self at the end of the month that way you build up the months connections but it would be better if there was an actual history command you could see all previous connection without having to do that as the file will have a lot of outputs at the end of the month

foued kh · ‎01-10-2017

Yes this is exactly what I'm trying to do. If there is a command which display all previous vpn connection, I will be thankful

Mark Malone · ‎01-10-2017

There is no history command you would have to collect it and go through it , the other option is raise it with your Cisco account manager they can ask for a feature request for the developers to create it in the next release that comes out

foued kh · ‎01-10-2017

Thank you Mr. Mark

Best wishes.

Jason Kopacko · ‎03-24-2017

Also Open source solutions of syslog like Graylog, Ossim, ELK, .. etc are also not dedicated for this purpose.

A little late to the party, by why not have ACS or ISE or whatever you have for your AAA accounting, send it's syslog messages to Logstash?

I have a full deployment of ELK at all 30 of my locations and it rocks out on these kinds of logs for reporting, graphing, etc.

foued kh · ‎01-12-2017

I finally find a solution for this purpose that I want to share with all members.
https://supportforums.cisco.com/discussion/11669281/cisco-asa-5510-vpn-login-history#comment-11807946

Best regards,