Submit a ticketCall us

AnnouncementsFace your biggest database issues head-on

Our new eCourse helps you navigate SQL Server performance blocks by teaching you how to recognize and deal with the three DBA Disruptors: Performance Hog, Blame Shifter, and Query Blocker. Register today to learn how to defend your environment and fend off menacing disruptions.

Register for your free eCourse.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor Cisco VPN Logon / Logoff Activity using LEM

Monitor Cisco VPN Logon / Logoff Activity using LEM

Table of contents
Created by Craig O’ Neill, last modified by Jason Dee on Aug 14, 2018

Views: 4,012 Votes: 0 Revisions: 9

Updated August 14, 2018

Overview

This article provides information on how to monitor WebVPN/AnyConnect logon and logoff activity through a Cisco ASA firewall.

Environment

  • LEM all versions
  • Cisco IOS/ASA device

Detail

For a list of all Cisco IOS/ASA Syslog events, please see: http://www.cisco.com/c/en/us/td/docs...s/logsevp.html

According to the document above, the Event ID a WebVPN logon is ASA-6-716001, a WebVPN logoff is ASA-6-716002, and an AnyConnect logon would be ASA-6-113039.

 

You can search for these by creating one of the following queries in nDepth:

 

SystemStatus.ProviderSID = *716001

 

SystemStatus.ProviderSID = *716002

 

SystemStatus.ProviderSID = *113039

 

It is also possible that there are VPN-related logon/logoff events that use other Event IDs, such as ASA-4-113004. Please refer to the above Cisco reference page for more information on their Syslog events.

 

 

 

 

Last modified

Tags

Classifications

Public