Following up on (what is now) Part 1 of this subject….
So the request about finding out when so-and-so had logged on to the VPN came in again. This time I needed to go back two weeks. No problem. On our syslog server, it’s only 19.1 Gb of files. One command, ten minutes, right?
Sure, if you’re good with grep and regular expressions, which I am not. Eventually it did only take one command. But it took me about two hours and learning a little regex. Here is the full command, along with a breakdown.
And yes, this is for me too, when I get asked to do this next month after I’ve forgotten how to do it (again).
grep -E "71600[1-2]: Group <Employees> User <cgates>" -d recurse c:syslog
To begin, I used grep for Windows on our syslog server (see Part 1).
Next comes the ‘-E’ switch for extended regular expressions.
After that is the regular expression itself. The event number 716001 is for ASA logon events, and 716002 is for logoff events. By using the range [1-2], we catch both events where the tunnel group = Employees and the user = cgates. The whole expression, minus the bracketed range, is a string snippet pulled from the actual syslog entries (below).
2012-03-09 14:21:57 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716001: Group <Employees> User <cgates> IP <188.8.131.52> WebVPN session started. 2012-03-10 01:22:11 Local4.Info 192.168.1.1 :%ASA-webvpn-6-716002: Group <Employees> User <cgates> IP <184.108.40.206> WebVPN session terminated.
This string is common to both types of events, so we can them both with one command.
Next comes the ‘-d’ switch telling grep to look in a directory as the input file, followed by the action ‘recurse’, so it will work its way through all 19 GBs of files found there. And finally comes the syslog directory itself ‘c:/syslog’.
This worked magic for me. May it work magic for you too.