What is the best (easiest) way to view VPN logs through MARS?

Unanswered Question
Mar 24th, 2009
User Badges:

I need to look at the logs from the past couple of days for a few specific VPN users and am not familiar with MARS enough to know how to do this.

Thanks, Tony

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
patwill66_2 Tue, 03/24/2009 - 11:35
User Badges:

For me, it depends on the device I am using. For a quick search, I will look for the event type "IKE Phase 2 Completed" and this will give me what I am looking for. If you have site to site tunnels, that may not work the best. If you are using RADIUS, you could try searching event type "PIX AAA user authentication successful". There are canned reports for authentication but I havent had good luck with them yet. Otherwise, run a real time report on that device, connect to the VPN and see what logs come in and then search on one that shows complete or successful in the message and that should bring up the recent connections as well.

ttrevino1 Wed, 03/25/2009 - 06:57
User Badges:

Thanks for the response. What I'm trying to do is pull ASA logs, looking for specific user IDs within a certain time range. These are dynamic connections initiated via the VPN client on the users machine.

Where do you see the event type "IKE Phase 2 Completed"? What query or report? Or are you just looking at the events themselves and sorting through them?

When I need to look at logs currently, I usually download the raw events from a specific day and dig through them, but I was told there was a much easier way to do this type of work.

Thanks, Tony

jnommensen Fri, 04/10/2009 - 12:33
User Badges:

You can run a query in the MARS based on "reported user".

You could also try running a query with the user's ID specified in the "keyword" section.

ttrevino1 Tue, 04/14/2009 - 04:30
User Badges:

How do I get to the "reported user" report? Thanks for the help.


This Discussion