Splunk Search

How to calculate cisco asa VPN session duration time

johnward4
Communicator

Here's the cisco asa logs I have coming in broken down by eventype=cisco_vpn_start and cisco_vpn_end

index=csco sourcetype=cisco:asa eventtype=cisco_vpn_start
2018-10-31 12:45:35,Local4.Info,192.30.254.2,%ASA-6-722022: Group <Company_Anyconnect_Users> User <myuser> IP <192.168.110.200> UDP SVC connection established without compression

index=csco sourcetype=cisco:asa eventtype=cisco_vpn_end
2018-10-31 13:01:30,Local4.Info,192.31.254.2,%ASA-6-722023: Group <Company_Anyconnect_Users> User <myuser> IP <192.168.60.130> UDP SVC connection terminated without compression

My failed and overly complicated attempt at calculating the session duration

|multisearch
[search index=csco sourcetype="cisco:asa" eventtype="cisco_vpn_start" src_ip=* user=*
| eval vpn_start = strftime(_time, "%m/%d/%Y %I:%M %p")]
[search index=csco sourcetype="cisco:asa" eventtype="cisco_vpn_end" src_ip=* user=*
| eval vpn_end = strftime(_time, "%m/%d/%Y %I:%M %p")]
| stats values(vpn_start) as vpn_start, values(vpn_end) as vpn_end by src_ip, user
| eval diff_in_minutes=(vpn_start-vpn_end)/60
| table vpn_start, vpn_end, duration, diff_in_minutes, user, src_ip

0 Karma

vince135
Explorer

Hi there,

If you have activated the good level of logging from your cisco device you should have this event id 113019. In this log you have the complete duration of the VPN session + the username etc. The field is also call duration ...

index=myciscoindex Cisco_ASA_message_id=113019

2020-05-04T12:42:54+02:00 10.66.65.70 :May 04 10:41:42 UTC: %FTD-auth-4-113019: Group = RemoteAccessVPN-MUC, Username = xxx, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: SSL, Duration: 2h:50m:01s, Bytes xmt: 21247692, Bytes rcv: 7087992, Reason: Idle Timeout

I mean you can also do transaction between the first IP assignment and this duration event to know the time but I think it's the best way to know the exact session time as this is directly the cisco device that give you that.

cheers

Vince

renjith_nair
SplunkTrust
SplunkTrust

@johnward4,

Try this ,

index=csco sourcetype="cisco:asa" (eventtype="cisco_vpn_start" OR  eventtype="cisco_vpn_end") src_ip=* user=*
|stats earliest(_time) as vpn_start,latest(_time) as vpn_end by user, src_ip
|eval diff_in_minutes=(vpn_start-vpn_end)/60

Note : above might not work if you have multiple sessions for the same user and source ip for the time range you select.
In that case we might need to consider session id (if available) or use transaction with a time interval

PS:There might be a duration value in the ASA logs, I don't remember though

Happy Splunking!
0 Karma

johnward4
Communicator

@renjith.nair Thank you! This is the query I'm using right now and I'm hoping you may know a tweak to be able to list each session by a user with that sessions duration time like a stats list or values to group that info

index=network sourcetype=cisco:asa (eventype="cisco_vpn_start" OR eventtype="cisco_vpn_end") src_ip=* user=* 
| stats earliest(_time) as vpn_start,latest(_time) as vpn_end by user, src_ip
| eval diff_in_minutes=(vpn_end-vpn_start)/60, duration = round(diff_in_minutes,2)
| eval vpn_logon = strftime(vpn_start, "%m/%d/%Y:%H:%M:%S"), vpn_logoff = strftime(vpn_end, "%m/%d/%Y:%H:%M:%S")
| strcat duration " mins" session_duration
| fields - vpn_start, vpn_end, diff_in_minutes, duration
| table user, src_ip, vpn_logon, vpn_logoff, session_duration
| sort - _time
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@johnward4, not sure if i get it correctly but now you havae each user and corresponding session_duration. Is it possible to provide a dummy sample output?

Happy Splunking!
0 Karma

johnward4
Communicator

I'd like to be able to group all of the users sessions, session duration, and when they logged on and off of those sessions in a stats list or values table representation.

0 Karma

mpham07
Path Finder

Hi @johnward4,

Did you ever get the search to work? I'm currently going through the same process and wonder if you can share the answer if possible 🙂 Thanks.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Is there a session id in your events or do you want to group by user? For example , if your current output is below, how do you want the grouping?

user    src_ip      vpn_logon   vpn_logoff session_duration
----------------------------------------------------------------------------
User1   1.1.1.0     10:00       10:10   10 mins 
User1   1.1.1.1     11:10       11:15   05 mins
User2   2.1.1.1     11:30       11:50   20 mins
Happy Splunking!
0 Karma

Rob2520
Communicator
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...