I am interested to see if anyone would be willing to share a sample with me.  I have the Cisco IOS VPN client configured on a number of devices in the field using the standard IPSEC VPN.  Some are using local authentication on the router, others are using a radius server.   I am interested to see how other people are solving for this (monitoring logins to VPN clients on IOS specifically 1800's, 1900's, 800's, 2800's).  Are you looing on this in AAA and then dumping to the logs or setting up an ACL to monitor logins and then dumping to kiwi syslogs or are you logging on radius connections?  I would love a point in the right direction, I know I can see active sessions but I am really interested in historical logging for security purposes.  Any suggestions would be welcome.  Thank you.