When the user/client fails authentication, you'll get a message of "%ASA-6-611102: User authentication failed.
are you using ASA with sfr sensor. or you using FTD?
with ASA sfr sensor I am afraid you cant setup the alert on FMC. its only set up on ASA and could get a syslog message as @Cristian Matei mentioned.
however, if you using FTD than yes. you can configure the logging/alerts setup.
Thanks, I just got around to testing this. I might open a case with tac. I tried the recommended filter and was not getting anything in my syslog. I deleted the filter, then just send anything informational to my syslog then I started to see the logs roll in. I tried some failed logins to my vpn, but I am not seeing them come in via syslog. If I grep for 611102, nothing shows up.
The correct logging event is %ASA-6-113005.
There appears to be a bug where it doesn't show the username. But this is what I am looking for to monitor failed anyconnect login attempts.