Submit a ticketCall us

AnnouncementsFace your biggest database issues head-on

Our new eCourse helps you navigate SQL Server performance blocks by teaching you how to recognize and deal with the three DBA Disruptors: Performance Hog, Blame Shifter, and Query Blocker. Register today to learn how to defend your environment and fend off menacing disruptions.

Register for your free eCourse.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor Cisco VPN Logon / Logoff Activity using LEM

Monitor Cisco VPN Logon / Logoff Activity using LEM

Table of contents
Created by Craig O’ Neill, last modified by Jason Dee on Aug 14, 2018

Views: 4,023 Votes: 0 Revisions: 9

Updated August 14, 2018


This article provides information on how to monitor WebVPN/AnyConnect logon and logoff activity through a Cisco ASA firewall.


  • LEM all versions
  • Cisco IOS/ASA device


For a list of all Cisco IOS/ASA Syslog events, please see:

According to the document above, the Event ID a WebVPN logon is ASA-6-716001, a WebVPN logoff is ASA-6-716002, and an AnyConnect logon would be ASA-6-113039.


You can search for these by creating one of the following queries in nDepth:


SystemStatus.ProviderSID = *716001


SystemStatus.ProviderSID = *716002


SystemStatus.ProviderSID = *113039


It is also possible that there are VPN-related logon/logoff events that use other Event IDs, such as ASA-4-113004. Please refer to the above Cisco reference page for more information on their Syslog events.





Last modified