Grepping ASA syslogs for AnyConnect client logon/logoff activity

Ran across a Quick Question the other day: “Hey, can you quick tell me when so-and-so has been on the vpn in the last week?” Everybody knows a quick question is anything but. This was no exception.

The quick answer is “Sure, just let me look in the syslogs. Hang on.” To my genuine surprise, the syslogs we very large. 2+ Gbs for each day – way too large just to search in Notepad++ (Notepad and Wordpad actually refused to open the file). So, I quick learned to use GNU32 Grep for Windows.

Once I figured that out, the next trick was to figure out what to grep for. Of course, if you’re syslogging the right classes, this helps tremendously (wink wink). In addition to the default syslog classes, I  had added the following:

logging class auth trap informational
logging class vpdn trap informational
logging class vpn trap informational
logging class vpnc trap informational
logging class webvpn trap informational

Turns out that class vpnc (VPNCLIENT) is not what you think. I’m was thinking this is for the remote access client activity, like AnyConnect activity. Wrong. It’s most for EZVPN setups. For remote access activity, class webvpn is what you want. Specifically, message 716001 is for logon events, and 716002 is for logoff events.

We’re using ASA software version 8.2.1, and Cisco syslog message documentation explains these messages like this:

716001
Error Message %ASA-6-716001: Group group User user IP ip WebVPN session started.
Explanation: The WebVPN session has started for the user in this group at the specified IP address. When the user logs in via the WebVPN login page, the WebVPN session starts.

716002
Error Message %ASA-6-716002: Group GroupPolicy User username IP ip WebVPN session
terminated: User requested.
Explanation: The WebVPN session has been terminated by a user request.

In Part 2, I’ll go into detail on how to search multiple syslogs files for these events with one command.

Advertisements

2 thoughts on “Grepping ASA syslogs for AnyConnect client logon/logoff activity

  1. Pingback: Grepping ASA syslogs, Part 2 « GatesTec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s