03-24-2009 05:59 AM
I need to look at the logs from the past couple of days for a few specific VPN users and am not familiar with MARS enough to know how to do this.
Thanks, Tony
03-24-2009 11:35 AM
For me, it depends on the device I am using. For a quick search, I will look for the event type "IKE Phase 2 Completed" and this will give me what I am looking for. If you have site to site tunnels, that may not work the best. If you are using RADIUS, you could try searching event type "PIX AAA user authentication successful". There are canned reports for authentication but I havent had good luck with them yet. Otherwise, run a real time report on that device, connect to the VPN and see what logs come in and then search on one that shows complete or successful in the message and that should bring up the recent connections as well.
03-25-2009 06:57 AM
Thanks for the response. What I'm trying to do is pull ASA logs, looking for specific user IDs within a certain time range. These are dynamic connections initiated via the VPN client on the users machine.
Where do you see the event type "IKE Phase 2 Completed"? What query or report? Or are you just looking at the events themselves and sorting through them?
When I need to look at logs currently, I usually download the raw events from a specific day and dig through them, but I was told there was a much easier way to do this type of work.
Thanks, Tony
04-10-2009 12:33 PM
You can run a query in the MARS based on "reported user".
You could also try running a query with the user's ID specified in the "keyword" section.
04-14-2009 04:30 AM
How do I get to the "reported user" report? Thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide