Re: VPN3000 Usage Reporting?

sneeland · ‎09-24-2002

Is there a way to report what VPN 'groupnames' and 'usernames' have been used to connect to the VPN concentrator? I'm looking for something that I can access to create variuos usage reports. The online 'Monitoring|Sessions' screen works fine for snapshot views, but I need to report for a longer time period (like a week). If I can just get the data, I can write my own report programs, I just need to see if the data exists and how to get to it.

Thanks!!!

Steve

Steve.Neeland@americawest.com

john.gudmann · ‎09-24-2002

If you are using Cisco Secure Server (ASC 3.0) Yes via Radius report. Or just setup the ftp backup interface and the use the log file to scan for Group/User.

sneeland · ‎09-24-2002

When I go to 'Monitoring|Filterable Event Log' and choose GET LOG for ALL events, it does not display SUCCESSFUL login attempts, only errors or failures. How can I capture those SUCCESSFULL logins???

sneeland · ‎09-30-2002

I'm amazed any type of usage reporting does not exist, whether thru Cisco, third-party, or home-grown. Is reporting of successful connection sessions just not possible?????

Report Inappropriate Content · ‎09-30-2002

No we do that type report all of the time using our Cisco ACS server. We use ACS for Radius authentication and accounting on our 3030. I also think there are some network management systems that can also track that information.

6dsarvai · ‎10-01-2002

This is a question we had about a month ago. The easiest way to pull the data you want from the C3000 concentrator is to write the log files to an FTP Server and parse the log files with a script to a Database.

Although it sounds difficult is quite easy. Here is how ours works.

The C3030 writes log files (Usually 170kb each) to an FTP Server.

Our (W2K) Web Server runs a PERL script twice a day which does a few things:

1. Parse every file in the FTP directory looking for any line with a "Disconnect" in it. This line is important as it contains the Username, Duration, XMBytes, TXBytes... All the User Data you might be interested in.

2. Writes each parsed line into a Microsoft Database (Using SQL statements).

3. After parsing each file, it moves the file to an Archive directory so it isn't parsed twice.

There is a 2nd Script I wrote which produces HTML Reports on Usage from the Database file. The Reports can be customized to produce durations (Last Day, week, month, year) you like.

NOTE: Group Name is contained in a separate Log Entry, which show prior to the "Disconnect" I am interested in. You could parse for both lines if you like. Here are the two sample lines we are interested in:

35353 08/02/2002 11:58:22.760 SEV=5 IKE/50 RPT=536 12.65.54.9 Group [DrcUser] User [drc\larry smith]Connection terminated for peer drc\larry smith (Peer Terminate)Remote Proxy 1.2.3.4 Local Proxy 4.3.2.0

35356 08/02/2002 11:58:22.760 SEV=4 AUTH/28 RPT=201 12.65.54.9 User [drc\larry smith] disconnected: Duration: 0:01:47 Bytes xmt: 4968 Bytes rcv: 11528 Reason: User Requested

Nelson Rodrigues · ‎10-24-2002

Steve , there's a couple of ways you can accomplish this.

1) Send your VPN 3000 logs to an FTP/Syslog server.

Interesting events are those in AUTH, IKE, and IKEDBG. For the most part level 6 events are enough for what you want. There are specific events that tell you what you are looking for, see examples below:

417 10/24/2002 07:52:21.450 SEV=4 IKE/52 RPT=52 x.y.z.a

Group [Unity] User [carvalheda]

User (carvalheda) authenticated.

791 10/24/2002 00:15:54.870 SEV=5 IKE/184 RPT=592 x.y.z.a

Group [remote] User [willy]

Client OS: WinNT

Client Application Version: 3.61(Rel)

803 10/24/2002 00:15:56.140 SEV=9 IKEDBG/31 RPT=579 x.y.z.a

Group [remote] User [willy]

Obtained IP addr (161.44.128.52) prior to initiating Mode Cfg (XAuth enabled)

(the Assigned IP address)

649 10/24/2002 07:52:22.770 SEV=4 IKE/120 RPT=72 x.y.z.a

Group [Unity] User [carvalheda]

PHASE 2 COMPLETED (msgid=61fc8407)

(this event means the tunnel/user is connected)

21 10/24/2002 00:15:47.850 SEV=4 AUTH/28 RPT=574 x.y.z.a

User [willy] disconnected:

Duration: 0:53:29

Bytes xmt: 2706280

Bytes rcv: 366336

Reason: User Requested

2) a second way is via SNMP Get/GetNext request on the following

VPN 3000 (Altiga) private mib table.

.iso.org.dod.internet.private.enterprises.altigaRoot.altigaGeneric.

altigaMib.altigaStats.alStatsSession.alActiveSessionTable.alActiveSessionEntry

( OID .1.3.6.1.4.1.3076.2.1.2.17.2.1 )

alActiveSessionUsername- authenticated user names

alActiveSessionIpAddress- Assigned IP address

alActiveSessionConnectTime- tunnel duration

alActiveSessionGroupName- group name

Hope this helps.

Nelson.

sneeland · ‎10-24-2002

I will check on this this week.....

One thing that I tried was increasing the amount of data that went to the log so that the login info was written. But then I had the issue of how to know the filenames containing the log data that I would FTP over to the system I was processing the data from. Looks like the log filenames would add an incremental number to the end of each log file. This would make it hard to setup an FTP script on my 'other' system that the fiels would be FT'd to. Any ideas how to control the log file size and file name????

Thank you so much for your response.

t.holden · ‎10-24-2002

Try PrivateI from Network Intelligence Corp.

www.network-intelligence.com