I was recently tasked with logging when users would connect and disconnect from the VPN – I believe the intent is to keep track of hours, but it was proposed as a way to keep track of users in terms of security violations. Either way I needed to come up with a solution.

Here was the setup and results:
ASA5510 with anyconnect VPN licensing
Windows RADIUS (via ISA Services) for authentication
All ASA connect requests were logged via the eventviewer on the Windows RADIUS server
Disconnects or timeouts were not logged on the server

So I had half of the equation, just needed to capture and log the disconnects as well.

Unfortunately, the RADIUS only requires authentication. There was no “hey please give me permission to disconnect” going on. Lucky for me I also have a kiwi syslog server running on the premises. Kiwi free, in case you’re wondering.

So just set the ASA to send syslog data to your syslog server, and parse out the following Message IDs (for your anyconnect client. Other clients including ipsec will have different numbers)
722022: Connect
722023: Disconnect