11-10-2006 08:12 AM - edited 03-09-2019 04:51 PM
I'm trying to find out where in the 3000 concentrator I can turn on auditing of successful logins to send to my syslog server (MARS) so I can run a report from last month to see who is logging in remotely. Thanks in advance!
11-13-2006 01:27 PM
Hi Paul
You dont mention what authentication method you are using or type of vpn session (IPSEC or SSL)
I`ve not had chance to test this, but looking at the Events for the Concentrator...
VPN Concentrator
Configuration>System>Events>General
Select the Events to Syslog Field, Usually 1-5 for MARS.
In MARS
Event ID: 7002776
Event Type Details: Cisco VPN Authentication successful
This event indicates that an authentication request has been successful. The event text will point to the server and user ID.
Report: COBIT DS5.2: Authentication and Access
Activity: Remote Access Login - Top User (Total View)
Looking at the event types for this report...
Info/SuccessfulLogin/AAA, you may need to be using Cisco ACS for Authentication.
11-14-2006 08:29 AM
Hi Chris, I'm using IPSEC with group names (may have a group called IT that has 3 users in that group). I have it setup the way you describe, but I don't see anything in MARS. In MARS I run the report "This report ranks users by remote access logins (PPP, L2TP, PPTP, IPSec)." and the report is blank (no users or groups). I double checked to make sure the syslog server is pointed to the MARS IP address. Thanks
11-22-2006 01:53 AM
Hi Paul
If you run a query, on RAW Event, from just the Concentrator (over the last hour or so, or real-time) do you see any events coming in?
Chris
ciscomars.blogspot.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: