Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > Monitor Cisco VPN Logon / Logoff Activity using LEM

Monitor Cisco VPN Logon / Logoff Activity using LEM

Table of contents
Created by Craig O’ Neill, last modified by Jason Dee on Jan 17, 2018

Views: 2,713 Votes: 0 Revisions: 7

Updated January 17, 2018

Overview

This article provides information on how to monitor WebVPN/AnyConnect logon and logoff activity through a Cisco ASA firewall.

Environment

  • LEM all versions
  • Cisco IOS/ASA device

Detail

For a list of all Cisco IOS/ASA Syslog events, please see: http://www.cisco.com/c/en/us/td/docs...s/logsevp.html

According to the document above, the Event ID a WebVPN/AnyConnect logon is ASA-6-716001 and a WebVPN/AnyConnect logoff would be ASA-6-716002.

 

You can search for these by creating one of the following queries in nDepth:

 

UserLogon.ProviderSID = *716001

 

UserLogoff.ProviderSID = *716002

 

It is also possible that there are VPN-related logon/logoff events that use other Event IDs, such as ASA-4-113004. Please refer to the above Cisco reference page for more information on their Syslog events.

 

 

 

 

Last modified

Tags

Classifications

Public