Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor Cisco VPN Logon / Logoff Activity using LEM

Monitor Cisco VPN Logon / Logoff Activity using LEM

Table of contents
Created by Craig O’ Neill, last modified by Jason Dee on Aug 14, 2018

Views: 4,450 Votes: 0 Revisions: 9

Updated August 14, 2018

Overview

This article provides information on how to monitor WebVPN/AnyConnect logon and logoff activity through a Cisco ASA firewall.

Environment

  • LEM all versions
  • Cisco IOS/ASA device

Detail

For a list of all Cisco IOS/ASA Syslog events, please see: http://www.cisco.com/c/en/us/td/docs...s/logsevp.html

According to the document above, the Event ID a WebVPN logon is ASA-6-716001, a WebVPN logoff is ASA-6-716002, and an AnyConnect logon would be ASA-6-113039.

 

You can search for these by creating one of the following queries in nDepth:

 

SystemStatus.ProviderSID = *716001

 

SystemStatus.ProviderSID = *716002

 

SystemStatus.ProviderSID = *113039

 

It is also possible that there are VPN-related logon/logoff events that use other Event IDs, such as ASA-4-113004. Please refer to the above Cisco reference page for more information on their Syslog events.

 

 

 

 

Last modified

Tags

Classifications

Public