Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor Cisco VPN Logon / Logoff Activity using LEM

Monitor Cisco VPN Logon / Logoff Activity using LEM

Table of contents
Created by Craig O’ Neill, last modified by Jason Dee on Aug 14, 2018

Views: 4,450 Votes: 0 Revisions: 9

Updated August 14, 2018


This article provides information on how to monitor WebVPN/AnyConnect logon and logoff activity through a Cisco ASA firewall.


  • LEM all versions
  • Cisco IOS/ASA device


For a list of all Cisco IOS/ASA Syslog events, please see:

According to the document above, the Event ID a WebVPN logon is ASA-6-716001, a WebVPN logoff is ASA-6-716002, and an AnyConnect logon would be ASA-6-113039.


You can search for these by creating one of the following queries in nDepth:


SystemStatus.ProviderSID = *716001


SystemStatus.ProviderSID = *716002


SystemStatus.ProviderSID = *113039


It is also possible that there are VPN-related logon/logoff events that use other Event IDs, such as ASA-4-113004. Please refer to the above Cisco reference page for more information on their Syslog events.





Last modified