Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor Cisco VPN Logon / Logoff Activity using LEM

Monitor Cisco VPN Logon / Logoff Activity using LEM

Table of contents
Created by Craig O’ Neill, last modified by Jason Dee on Aug 14, 2018

Views: 4,857 Votes: 0 Revisions: 9

Updated August 14, 2018


This article provides information on how to monitor WebVPN/AnyConnect logon and logoff activity through a Cisco ASA firewall.


  • LEM all versions
  • Cisco IOS/ASA device


For a list of all Cisco IOS/ASA Syslog events, please see:

According to the document above, the Event ID a WebVPN logon is ASA-6-716001, a WebVPN logoff is ASA-6-716002, and an AnyConnect logon would be ASA-6-113039.


You can search for these by creating one of the following queries in nDepth:


SystemStatus.ProviderSID = *716001


SystemStatus.ProviderSID = *716002


SystemStatus.ProviderSID = *113039


It is also possible that there are VPN-related logon/logoff events that use other Event IDs, such as ASA-4-113004. Please refer to the above Cisco reference page for more information on their Syslog events.





Last modified