Re: How can I log remote VPN users on an ASA 5520

claude.fozao · ‎10-13-2010

Dear all,

I want to enable logging of remote VPN users so that we can track the users of our VPN connection, The time the user started using the VPN connection and the time the user stopped using the connection.

When I issue the command show vpn-sessiondb remote on the ASA, it displays the users that are current using the VPN connection but when they stopped using the connection, there is no way to prove that this user actually initiated a connection and it lasted for this long.

Please I would be very grateful if somebody can help give the commands to use to enable my ASA to log remote VPN connections, with the usernames of the users and the time stamp.

Thanks for you for your assistance.

sinv · ‎10-13-2010

Hi,

As I see it there are three ways in which you can go about doing this:

1. To setup a syslog server for the ASA and log all the traffic and filter the vpn traffic at the syslog server.

2. If that seems like a logging overhead then you can choose to log certain syslog IDs that would provide you the required VPN information.

3. If the extended authentication for the users is not being done locally(on the ASA) then then logging can be enabled on the authentication technology that is used (eg Active Directory Logging etc.)

Considering you want to do the second method I would suggest you go through the syslog messages and select the ones that you would prefer logging.

The follwing is the link to the syslog message directory on the 8.x versions. This should help you narrow down the IDs you would want to log.

Do take into account there are specific IDs for each type of VPN (eg WEBVPN, IPSec etc).

http://tools.cisco.com/squish/fd4E4

The following link is the syslog configuration document that may also come in handy.

http://tools.cisco.com/squish/8c878

Let me know if you have more questions.

Regards,

Sindhuja