08-03-2013 06:44 AM
Hello,
I've got a client who wants to log and be emailed about each successful/failed Cisco Easy VPN Login attempt.
Can anyone point me in the right direction of doing this?
I assume it will need to be done with something like syslog but just not sure where to start looking.
Cheers
Peter Sheridan
08-03-2013 07:30 AM
Hi Peter,
You'll need the 'crypto logging session' and 'crypto logging ezvpn' commands enabled aside from the normal syslog config or setup.
Sent from Cisco Technical Support iPhone App
08-03-2013 04:50 PM
Thanks John.
After that happens, I assume something will need to be configured on the syslog server to email a user based on certain results?
08-03-2013 05:07 PM
Yes, if your syslog server supports such customized feature.
Sent from Cisco Technical Support iPhone App
08-03-2013 05:12 PM
No Worries - Leave it with me and i'll post back my results
12-31-2014 08:54 PM
I know this post is a year old but I have recently had to revisit this so thought I would post back my results.
What I found was that the commands 'crypto logging session' and 'crypto logging ezvpn', were not working. My understanding is that my AnyConnect system is using SSL VPN, not IPSEC, hence that is why it was not working.
I did a bit of googling and couldn't find any logging options for SSL VPN/Anyconnect. There were plenty of debug options though.
After turning on debugging for aaa using the following command, 'debug webvpn aaa', the messages below were generated.
WV-AAA: AAA authentication request sent for user: "demo"
WV-AAA: AAA Authentication Passed!
WV-AAA: AAA authentication request sent for user: "demo"
WV-AAA: AAA Authentication Failed!
This worked great, but since it was using the debug option, I would loose the logging after a reload.
Then I came across these commands
login on-failure log
login on-success log
These are more of a global option, that log not just success/failures for Webvpn but also things like SSH, Telnet sessions etc.
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: demo] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed]
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: demo] [Source: 1.1.1.1] [localport: 443]
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: demo] [Source: 1.1.1.1] [localport: 443] [Reason: Login Authentication Failed]
Perfect! A summary of the config is below. It may not be the best way to do it, but it works for me.
!
login on-failure log
login on-success log
!
logging trap debugging
logging 192.168.100.10
!
service timestamps debug datetime localtime
service timestamps log datetime localtime
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide