cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
683
Views
0
Helpful
4
Replies

What is the best (easiest) way to view VPN logs through MARS?

ttrevino1
Level 1
Level 1

I need to look at the logs from the past couple of days for a few specific VPN users and am not familiar with MARS enough to know how to do this.

Thanks, Tony

4 Replies 4

patwill66_2
Level 1
Level 1

For me, it depends on the device I am using. For a quick search, I will look for the event type "IKE Phase 2 Completed" and this will give me what I am looking for. If you have site to site tunnels, that may not work the best. If you are using RADIUS, you could try searching event type "PIX AAA user authentication successful". There are canned reports for authentication but I havent had good luck with them yet. Otherwise, run a real time report on that device, connect to the VPN and see what logs come in and then search on one that shows complete or successful in the message and that should bring up the recent connections as well.

Thanks for the response. What I'm trying to do is pull ASA logs, looking for specific user IDs within a certain time range. These are dynamic connections initiated via the VPN client on the users machine.

Where do you see the event type "IKE Phase 2 Completed"? What query or report? Or are you just looking at the events themselves and sorting through them?

When I need to look at logs currently, I usually download the raw events from a specific day and dig through them, but I was told there was a much easier way to do this type of work.

Thanks, Tony

You can run a query in the MARS based on "reported user".

You could also try running a query with the user's ID specified in the "keyword" section.

How do I get to the "reported user" report? Thanks for the help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: