I have data coming in via UDP port #514 and I changed the REGEX to "%ASA-\d+-\d+" and I now have data coming in to the Cisco Security Suite.
I use the following search to obtain data for VPN: "process="%ASA-5-722033" sourcetype=syslog"
This will give me a list of TCP and UDP connections along with the VPN user etc. However, what I really need is to be able to see the total RX & TX for the time period I specify for each user.
Can anyone help with this? Is there a way to get the output to be in a graphical representation?
Thank you all very much.
I think I may have figured out a way to get the info I was searching for. However, I'd like some feedback to see if I am interpreting the data correctly.
I put together this search: source="udp:514" sourcetype="syslog" index="main" "username" "DefaultWEBVPNGroup"
Then I specify a date parameter and it looks like I get what I need. It appears that I get the initial VPN session connection and then I also get the disconnect if it is in the same time period I searched for. In that disconnect event, it has "Bytes xmt & Bytes rcv."
Am I correct in my intrepretation that this was the total data transmitted and received for that VPN session?
Here is a sample output:
Dec 8 16:50:46 10.110.255.1 Dec 08 2013 16:52:03 ASA : %ASA-4-113019: Group = DefaultWEBVPNGroup, Username = ********, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:14m:47s, Bytes xmt: 1651278, Bytes rcv: 289109, Reason: User Requested
Thanks for any input.
Thanks for changing the title. No matter what captcha I tried when doing an update, it would not pass. However, I could comment just fine and the captcha would work.
Do you perhaps know of a way to get this data in a chart form showing the TX and RX?
Your interpretation certainly makes sense. Maybe there's some doc from Cisco that would shed some real light.
Sorry for the wrong title. It should be "Cisco Security Suite & VPN Statistics." I have tried updating the title, but can not get past any of the reCaptch security phrases. Bug perhaps?