{"id":907,"date":"2012-02-01T12:51:55","date_gmt":"2012-02-01T17:51:55","guid":{"rendered":"http:\/\/it.thelibrarie.com\/weblog\/?p=907"},"modified":"2012-02-01T12:51:55","modified_gmt":"2012-02-01T17:51:55","slug":"syslog-log-asa-vpn-anyconnect","status":"publish","type":"post","link":"https:\/\/it.thelibrarie.com\/weblog\/2012\/02\/syslog-log-asa-vpn-anyconnect\/","title":{"rendered":"Syslog Log ASA VPN AnyConnect"},"content":{"rendered":"<p>I was recently tasked with logging when users would connect and disconnect from the VPN &#8211; I believe the intent is to keep track of hours, but it was proposed as a way to keep track of users in terms of security violations.  Either way I needed to come up with a solution.<\/p>\n<p>Here was the setup and results:<br \/>\nASA5510 with anyconnect VPN licensing<br \/>\nWindows RADIUS (via ISA Services) for authentication<br \/>\nAll ASA connect requests were logged via the eventviewer on the Windows RADIUS server<br \/>\nDisconnects or timeouts were not logged on the server<\/p>\n<p>So I had half of the equation, just needed to capture and log the disconnects as well.<\/p>\n<p>Unfortunately, the RADIUS only requires authentication.  There was no &#8220;hey please give me permission to disconnect&#8221; going on.  Lucky for me I also have a kiwi syslog server running on the premises.  Kiwi free, in case you&#8217;re wondering.<\/p>\n<p>So just set the ASA to send syslog data to your syslog server, and parse out the following Message IDs (for your anyconnect client.  Other clients including ipsec will have different numbers)<br \/>\n722022: Connect<br \/>\n722023: Disconnect<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was recently tasked with logging when users would connect and disconnect from the VPN &#8211; I believe the intent is to keep track of hours, but it was proposed as a way to keep track of users in terms of security violations. Either way I needed to come up with a solution. Here was &hellip; <a href=\"https:\/\/it.thelibrarie.com\/weblog\/2012\/02\/syslog-log-asa-vpn-anyconnect\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Syslog Log ASA VPN AnyConnect<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-907","post","type-post","status-publish","format-standard","hentry","category-networking"],"_links":{"self":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/907","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/comments?post=907"}],"version-history":[{"count":1,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/907\/revisions"}],"predecessor-version":[{"id":908,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/907\/revisions\/908"}],"wp:attachment":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/media?parent=907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/categories?post=907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/tags?post=907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}