Submit a ticketCall us

WebinarFREE IT Monitoring Webcast

Don’t miss out on our webcast, Essential IT Monitoring with SolarWinds ipMonitor, where we will show you how to keep an eye on your IT environment from one centralized, affordable, and lightweight monitoring tool: SolarWinds® ipMonitor®.

Register now.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor Cisco VPN Logon / Logoff Activity using LEM

Monitor Cisco VPN Logon / Logoff Activity using LEM

Table of contents
Created by Craig O’ Neill, last modified by Jason Dee on Aug 14, 2018

Views: 4,267 Votes: 0 Revisions: 9

Updated August 14, 2018


This article provides information on how to monitor WebVPN/AnyConnect logon and logoff activity through a Cisco ASA firewall.


  • LEM all versions
  • Cisco IOS/ASA device


For a list of all Cisco IOS/ASA Syslog events, please see:

According to the document above, the Event ID a WebVPN logon is ASA-6-716001, a WebVPN logoff is ASA-6-716002, and an AnyConnect logon would be ASA-6-113039.


You can search for these by creating one of the following queries in nDepth:


SystemStatus.ProviderSID = *716001


SystemStatus.ProviderSID = *716002


SystemStatus.ProviderSID = *113039


It is also possible that there are VPN-related logon/logoff events that use other Event IDs, such as ASA-4-113004. Please refer to the above Cisco reference page for more information on their Syslog events.





Last modified