06-10-2013 08:09 AM
Hello,
Currently we user Cisco VPN Clients for remote access. Is it possible to track/log all sessions when users connect and disconnect?
Cisco Adaptive Security Appliance Version 8.2 (1)
Device Manager Version 6.2 (1)
Hardware: ASA5510
Thanks...J
06-10-2013 11:39 AM
This is one option,
The ASA will send an email for noc@xxx.com when a vpn is connected.
logging from-address asa5510@xxx.com
logging recipient-address noc@xxx.com level debu
logging list lista_email message 713120
logging list lista_email message 111008
logging list lista_email message 113019
logging list lista_email message 722033
smtp-server 1.1.1.1
logging mail lista_email
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You could also send this to a syslog server:
logging trap lista_email
logging host inside 1.1.1.2
06-11-2013 11:12 AM
Hi, did you have the chance to try it?
06-13-2013 11:50 AM
Hello,
Thanks for the reply, but I prefer to not get an email when each user connects to VPN. I am looking for a format where the file captures all connect and disconnect sessions with dates and time. Management is looking to see which users are connecting to VPN since few are working from home.
Since our users are using their AD to authenticate can I capture the info on the domain controller?
Thanks...
06-13-2013 11:57 AM
You can use the second option on the post and send the information to a syslog server.
If your ASA is using RADIUS to validate the username/password you will have the information of what time they connect on your event viewer.
Windows 2003 will have the information under "system" on event viewer.
Windows 2008 will have it under a custom view for the NPS service.
If your ASA is using LDAP I'm not sure if you can get this info through your AD.
Anyway with this option of looking in the AD you will only get the time they connect. (ASA will not consult the AD when the VPN is disconnected)
With the option of sending to a syslog server you will have the connection and disconnection time and you can set your syslog software to feed a file.
With free kiwi syslog server you can feed a txt file for free and some other types of database with a license (sql for exemple).
06-13-2013 12:17 PM
After some searches I found the link below related to Cisco system log messages. So your second option might work for me. http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4774570.
Under Device Management>Logging>Logging Setup> I can configure to send to FTP Server which we do have one.
So I only need to go to Device Management>Logging>Event List and add Event Class and Message IDs which will get captured and pushed to the FTP Server?...is this the correct way to do it and would I only get VPN events or other events as well?
Thanks...
06-13-2013 12:09 PM
Basically, it's enough to have message 113019 (session disconnect) being logged to some syslog server. Then you can write some script wich will collect this messages say per day and send them via email every morning. In this case users won't be bothered every minute with new email, saying that some user just connected/disconnected, but statistical info will be provided. Here how the content of such email would look like (we do this as i described):
Jun 08 2013 00:10:43: %ASA-4-113019: Group = ANYCONNECT_CONPR, Username = phirsov, IP = x.x.x.x, Session disconnected. Session Type: SSL, Duration: 1h:11m:25s, Bytes xmt: 57952655, Bytes rcv: 3416542, Reason: User Requested
Jun 08 2013 00:28:16: %ASA-4-113019: Group = ANYCONNECT_CONPR, Username = popov, IP = x.x.x.x, Session disconnected. Session Type: AnyConnect-Parent, Duration: 5h:10m:39s, Bytes xmt: 63605532, Bytes rcv: 3498108, Reason: User Request
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide