Make sure that the ASA is configured at informational level logging.
The keyword field can be used when making a new rule that looks for text within an event. For example, to make a rule that looks for the start of a WebVPN session, click on the keyword cell in the new rule, and enter the %ASA-6-716001 string.
To save the change, click the Activate button on the top right of the MARS Graphical User Interface (GUI).
These are the syslog messages to identify when a Secured Sockets Layer (SSL) VPN connection is established or terminated on the MARS device:
%ASA-6-716001: Group group User user WebVPN session started
%ASA-6-716002: Group group User user WebVPN session terminated: