Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find live sessions for VPN connections?

yossefn
Path Finder
‎03-16-2020 11:46 PM

I'm looking for a way to present just live sessions for VPN connections (Juniper SSL VPN).
From the actual logs I can't see anything about the "session state", all I have is just the indicators if a session is opened or closed.

Session open log:

Mar 16 19:35:51 x.x.x.x 233 <134>1 2020-03-16T19:35:51+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 19:35:51 - VPN_NAME- [x.x.x.x] username(user_role)[Junos_Users_Role, RDP_Role, WEB_Provision] - Connected to computer_name port 3389

session close log:

Mar 16 21:37:32 x.x.x.x 288 <134>1 2020-03-16T21:37:32+02:00 x.x.x.x PulseSecure: - - - 2020-03-16 21:37:32 - VPN_NAME- [127.0.0.1] username()[] - Closed connection to computer_name port 3389 after 7301 seconds, with 25908389 bytes read (in 33955 chunks) and 3445084 bytes written (in 59766 chunks)

Can anyone help me to determine active \ live sessions?
Thanks in advance!

Reply

to4kawa
Ultra Champion
‎03-17-2020 02:55 AM 
  your search
| stats count(eval(searchmatch("Connected")) as start count(eval(searchmatch("connection")) as stop by user
| eval live = start - end
| where live > 0

If your VPN can't connect over days, search is easy. else ....

Reply

yossefn
Path Finder
‎03-17-2020 04:43 AM

Here is the final search I'm running. Still there is a gap of around 50 sessions between my results and the actual data in the VPN management system. 

index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=@d latest=now()
| stats count(eval(searchmatch("Connected"))) as start count(eval(searchmatch("connection"))) as stop by user
| eval live = start - stop
| where live > 0
0 Karma
Reply

yossefn
Path Finder
‎03-17-2020 05:28 AM

@to4kawa , Thank you for you help! I got better results but still have a gap. any idea?

0 Karma
Reply

to4kawa
Ultra Champion
‎03-17-2020 06:42 AM 
 index=vpn juniper_sslvpn_message="Connected to *" OR juniper_sslvpn_message="Closed connection to *" earliest=-2d@d 
 | stats last(juniper_sslvpn_message) as last_message by user
 | search last_message="Connected to *"

search range is more wide and check last message.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-17-2020 02:29 AM

what's username field and time range?
Is there keep-alive log?

0 Karma
Reply

yossefn
Path Finder
‎03-17-2020 02:40 AM

The username field is user, I can't see any keep-alive indicator in the log.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...