How to log all users connecting to Anyconnect to Syslog

Rick Morris · ‎08-20-2019

I am wanting to make sure I log all users who connect to anyconnect and send the data to a syslog server.

What I need to do is capture the IP of the user, login credentials (user), with a date and time stamp.

What is the easiest method for doing this? We have a syslog server and sending some detail but not the IP and User details.

Also, for authentication we send to ldap so user logs in with AD credentials and also use DUO for MFA.

Afolarin Omole · ‎08-21-2019

@Rick Morris

I haven't done this before , and is challenging and worth looking into by simulating this in LAB environment , due to the fact that syslog command doesn't seem to allow VPN ports unless NAT-T port 4500 which falls within the port range.

Normally I view this logs through vpn-sessiondb command , and looking at the documentation on this , it falls back to the ASA command I was thinking of which is :

logging host interface_name syslog_ip [ tcp [/ port ] | udp [/ port ] [ format emblem ]]

But the above command only acknowledge a certain range or port according to documentation (1025-65535), in this case only NAT-T port falls within this range which is 4500 not isakmp 500 or IPsec 50 or 51. Please refer to this link https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/monitor_syslog.html#68764

But really if the details stated in your question you want to log , I will just go for the vpn-sessiondb ra and copy from there. Let me know if this help ......