The syslogs Jennifer provided will show you connects and disconnects for IPSec VPN traffic.There is an additional ipsec syslog 713049 you might want to track for ipsec.
Its also worth noting there are a few other kinds of "remote access" VPN like webvpn/clientless, anyconnect/ssl vpn client that you might also want to track.
If you are using Clientless SSL VPN the syslogs usually begin with 716xxx. For example the syslog for connect is 716001 and disconnect is 716002. There is a list of other Clientless SSL VPN related messages here. You can view the specific content of each log here:http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4776913
If you are using SSL VPN Client (SVC1.x,AnyConnect 2.x) the syslogs usually begin with 722xxx. For example, the syslog for connect is 722022 and disconnect is 722023. There is a list of other SSL VPN Client related messages herehttp://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4778697
If you are using IPSec client VPN you can also track a successfull connect with 713119 (indicates Phase1 complete), 713049 (indicates Phase2 complete) and disconnect with 113019.
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775678
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4775412http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsg
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769539
Here are some other helpful notes to keep in mind:
-You can tell what levels of logging you currently have on the ASA command line with "show log"
-The logs that you send to a syslog server are controled with the "Trap logging" commands. For example "logging trap informational" (level 6) or "logging trap alerts" (level 1)
-You can tell what severity level (ie alerts, critical, errors,warnings, notifications, informational, debugging) each of these logs through this link. As youll notice by checking the link, the ones tracking log in or logout as I noted above are usually informational (sev 6)):http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsev
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logsevp.html
-If you want to create a specific subset of syslogs to send to a particular device, you can accomplish this with a logging class or a logging list:http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
For example (logging class):http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/m
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065253
logging class vpnc traf informational
For example (logging list):
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html#wp1065512
logging list mylist message 722022
logging list mylist message 722023
logging trap mylist
Please remember to rate the posts that helped you and to mark the question as resolved if youre question has been answered.
