Cisco Support Community

How to configure Cisco Security Monitoring Analysis and Response System (CS-MARS) rules to match WebVPN session creation on Adaptive Security Appliance(ASA)


To configure the rules ,perform these steps:

  1. Make sure that the ASA is configured at informational level logging.

  2. The keyword field can be used when making a new rule that looks for
    text within an event. For example, to make a rule that looks for the start of a WebVPN session, click on the keyword cell in the new rule, and enter the %ASA-6-716001 string.

  3. To save the change, click the Activate button on the top right of the MARS Graphical User Interface (GUI).

These are the syslog messages to identify when a Secured Sockets Layer (SSL) VPN connection is established or terminated on the MARS device:

  • %ASA-6-716001: Group group User user WebVPN session started

  • %ASA-6-716002: Group group User user WebVPN session terminated:

For a full list of ASA version 7.0 syslog messages, refer to Messages Listed by Severity Level.