• Support
  • Forums
  • Blogs

Looking to report on VPN connectivity to Cisco ASA

t001zt001z

New Life Form

I have a Cisco ASA and its plugin is receiving data.  I have also added a plugin for Cisco VPN
(although I am not sure this needed) and it is NOT receiving data.  These are the same device/same IP.  I am looking to collect information on how
long the VPN connection lasted as well as amount of data transmitted and received.

There may be several places where I am failing on this
report – this particular information is not being sent to sensor, the
information is not being processed by the USM, but the most likely cause is I
just don’t know what fields are being sent that I need to report on.

I have the report set to run for last 30 days and when I run
the report, everything is coming back as No data available.

Tagged:

Share post:

Best Answer

  • Answer ✓
    t001z,

    To my knowledge, the USM Appliance would not have a way to report on this because the ASA does not deliver this data in it's logs. 

    To collect this, the logs would need to either send this data as separate events which could be identified by a single connection ID in all associated logs, or would need to send a single log entry containing the summary of the connection.

Answers

  • I was hoping that some guru could just say, "oh yeah, all you need to do is X, Y & Z and it spits out the report you are looking for."  Wishful thinking, I know.  Thanks for the thought and answer, sorry for the late reply/answer.
  • @t001z You should be able pull this data out, we are doing if for several of our customers using the basic Cisco-ASA plugin.  There are a lot of VPN events that AlienVault will parse out as long as you are logging them on the ASA.  A quick way to check is from the SIEM view select CISCO-ASA as your data source, then just put in VPN in the search window and leave it set at event name.  This will bring up any VPN events that it has seen.

    Once you identify that the events are coming in then just create yourself a custom view then save it off as a report module.
    The event we are reporting on for successful logons is event ID 113008:  ASA: The AAA transaction for a user associated with an IPsec or WebVPN connection was completed successfully
    For failed attempts you can use event ID 113013: ASA: The AAA transaction for a user associated with an IPsec or WebVPN connection has failed.
Sign In or Register to comment.