You can configure the ASA to send syslog messages when the user connects and disconnects.
The syslog message# for vpn user connection is syslog# 713119 and 611310 and for disconnect is syslog# 113019 and 713049.
The above will show you connects and disconnects for IPSec VPN traffic.
Its also worth noting there are a few other kinds of "remote access" VPN like webvpn/clientless, anyconnect/ssl vpn client that you might also want to track.
If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002.
If you are using SSL VPN Client the syslogs usually begin with 722xxx.
Here are some other helpful notes to keep in mind:
-You can tell what levels of logging you currently have on the ASA command line with "show log"
-The logs that you send to a syslog server are controlled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)
-You can tell what severity level (ie alerts, critical, errors, warnings, notifications, informational, debugging) each of these logs through this link.
-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:
For example :
logging class vpnc trap informational
logging list mylist message 722022
logging list mylist message 722023
logging trap mylist
Below link can help related to syslog configuration.
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.htmlAlso, I believe you can first check the log ID being generated on your ASA for remote user login and logout and then can accordingly configure syslog.
-
Pulkit
Keep rating helpful posts.
