- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Cisco Security Suite & VPN Statistics
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco Security Suite & VPN Statistics
I have data coming in via UDP port #514 and I changed the REGEX to "%ASA-\d+-\d+" and I now have data coming in to the Cisco Security Suite.
I use the following search to obtain data for VPN: "process="%ASA-5-722033" sourcetype=syslog"
This will give me a list of TCP and UDP connections along with the VPN user etc. However, what I really need is to be able to see the total RX & TX for the time period I specify for each user.
Can anyone help with this? Is there a way to get the output to be in a graphical representation?
Thank you all very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I may have figured out a way to get the info I was searching for. However, I'd like some feedback to see if I am interpreting the data correctly.
I put together this search: source="udp:514" sourcetype="syslog" index="main" "username" "DefaultWEBVPNGroup"
Then I specify a date parameter and it looks like I get what I need. It appears that I get the initial VPN session connection and then I also get the disconnect if it is in the same time period I searched for. In that disconnect event, it has "Bytes xmt & Bytes rcv."
Am I correct in my intrepretation that this was the total data transmitted and received for that VPN session?
Here is a sample output:
Dec 8 16:50:46 10.110.255.1 Dec 08 2013 16:52:03 ASA : %ASA-4-113019: Group = DefaultWEBVPNGroup, Username = ********, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 0h:14m:47s, Bytes xmt: 1651278, Bytes rcv: 289109, Reason: User Requested
Thanks for any input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for changing the title. No matter what captcha I tried when doing an update, it would not pass. However, I could comment just fine and the captcha would work.
Do you perhaps know of a way to get this data in a chart form showing the TX and RX?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your interpretation certainly makes sense. Maybe there's some doc from Cisco that would shed some real light.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the wrong title. It should be "Cisco Security Suite & VPN Statistics." I have tried updating the title, but can not get past any of the reCaptch security phrases. Bug perhaps?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
