Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20741
Views
40
Helpful
22
Replies

User Login History

Go to solution
wynneitmgr
Level 3
Level 3

‎07-06-2021 09:23 AM

We have an ASA 5508 firewall and we use Cisco AnyConnect VPN for remote access for our users. I also use ASDM 7.9 to monitor and setup rules on firewall. I looked through SYSLOG and cannot find where I can see user login history to the VPN. Is there any easy way to do this? Thank you.

0 Helpful
22 Replies 22

Go to solution
Rob Ingram
VIP
VIP
In response to wynneitmgr

‎07-08-2021 06:20 AM

@wynneitmgr 

Cool, login to the VPN and see if you get an email.

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎07-08-2021 06:23 AM

@Rob Ingram 

No, I did not receive an email. under what tab/menu is the email configuration setup?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to wynneitmgr

‎07-08-2021 06:31 AM

@wynneitmgr 

Sorry I thought you were wanting to get the messages via mail rather than ASDM,

You will need to tweak the ASDM logging configuration to receive those messages. Try this:-

 

logging asdm informational

 

0 Helpful

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎07-08-2021 06:38 AM

@Rob Ingram 

No, I think I will just look in the logs for this information when needed. How long does information stay in the logs? Can I set it for a certain amount of days?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to wynneitmgr

‎07-08-2021 06:46 AM

@wynneitmgr 

There is a buffer, but that can quickly fill and overwrite the logs.

Generally you send logs to a syslog server, which I appreciate you may not have.

What you could do is log to ASDM just using that filter list we created, so it would only keep the logs for those messages and not the rest. That way the log won't fill up so quickly.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to wynneitmgr

‎07-10-2021 05:12 AM

Hi @wynneitmgr 

Sorry, I realise that syslog message number I previously provided was for logging user connections via the WebVPN not when connecting via AnyConnect.

 

The error message you need is 113004 is authenticating using LDAP/RADIUS or 113012 if using the ASA local database. Use the following configuration.

 

no logging mail Config_Changes
no logging list Config_Changes message 716001
logging list Config_Changes message 113004
logging list Config_Changes message 113012
logging mail Config_Changes

And if you want to send to ASDM console page instead or aswell as mail, use the following

 

logging asdm Config_Changes

Which will send the same messages to mail and asdm, as defined in the list. Create multiple lists if required.

0 Helpful

Go to solution
wynneitmgr
Level 3
Level 3
In response to Rob Ingram

‎07-08-2021 06:20 AM

@Rob Ingram 

 

It looks like the Syslog ID is 722033 for user logins on my ASA. Is there a difference between 722033 and 716001 and 716002?

 

asa3.png

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to wynneitmgr

‎07-08-2021 06:24 AM

There is a difference between the messages:-

 

722033
Error Message %ASA-5-722033: Group group User user-name IP IP_address First SVC connection established for SVC session.
Explanation The first SVC connection was established for the SVC session.

 

716001
Error Message%ASA-6-716001: Group group User user IP ip WebVPN session started.
Explanation The WebVPN session has started for the user in this group at the specified IP address. When the user logs in via the WebVPN login page, the WebVPN session starts.

 

716002
Error Message%ASA-6-716002: Group GroupPolicy User username IP ip WebVPN session terminated: User requested.
Explanation The WebVPN session has been terminated by a user request.

0 Helpful
Customers Also Viewed These Support Documents