Ran across a Quick Question the other day: “Hey, can you quick tell me when so-and-so has been on the vpn in the last week?” Everybody knows a quick question is anything but. This was no exception.
The quick answer is “Sure, just let me look in the syslogs. Hang on.” To my genuine surprise, the syslogs we very large. 2+ Gbs for each day – way too large just to search in Notepad++ (Notepad and Wordpad actually refused to open the file). So, I quick learned to use GNU32 Grep for Windows.
Once I figured that out, the next trick was to figure out what to grep for. Of course, if you’re syslogging the right classes, this helps tremendously (wink wink). In addition to the default syslog classes, I had added the following:
logging class auth trap informational logging class vpdn trap informational logging class vpn trap informational logging class vpnc trap informational logging class webvpn trap informational
Turns out that class vpnc (VPNCLIENT) is not what you think. I’m was thinking this is for the remote access client activity, like AnyConnect activity. Wrong. It’s most for EZVPN setups. For remote access activity, class webvpn is what you want. Specifically, message 716001 is for logon events, and 716002 is for logoff events.
We’re using ASA software version 8.2.1, and Cisco syslog message documentation explains these messages like this:
Error Message %ASA-6-716001: Group group User user IP ip WebVPN session started.
Explanation: The WebVPN session has started for the user in this group at the specified IP address. When the user logs in via the WebVPN login page, the WebVPN session starts.
Error Message %ASA-6-716002: Group GroupPolicy User username IP ip WebVPN session
terminated: User requested.
Explanation: The WebVPN session has been terminated by a user request.
In Part 2, I’ll go into detail on how to search multiple syslogs files for these events with one command.