Dashboards & Visualizations

How can I show currently logged in VPN users?

jjensenc1data
New Member

Sure would be nice to know if it can do this before beating my head bloody attempting it. I need a real time executive summary dash board that shows currently logged in vpn users. These two windows system event entries could be used to populate it.

Event ID 20200 and is logged by the RemoteAccess source.

The user joebob connected on port VPN5-127 has been assigned address 192.168.1.12

Event ID 20201 and is logged by the RemoteAccess source.

The user with ip address 192.168.1.12 has disconnected

We can show Joe connected and at what time but will need to track events 20201 watching for his ip address so we can drop him from the list. This is only the start though. If I click Joe while he's connected I want to see a summary of his activity for the last thirty days. Not the raw log entries but another dashboard or form etc that weeds out all the unnecessary stuff in the message below and reports the facts.

This event is ID 20194 and is logged by the RemoteAccess source.

The user joebob connected on port VPN5-127 on 11/2/2010 at 10:51 PM and disconnected on 11/2/2010 at 11:06 PM. The user was active for 14 minutes 20 seconds. 15692270 bytes were sent and 873906 bytes were received. The reason for disconnecting was user request.

A table showing the last X days like this would be great.

Connect Date Time ------ Disconnect Date Time ---- Duration

11/02/2010 10:50 PM -- 11/03/2010 01:30 AM ------ 3 hrs 50 min

11/03/2010 09:30 PM -- 11/04/2010 12:10 AM ------ 2 hrs 40 min

What do you folk's think?

0 Karma

mmahan
New Member

sourcetype=vpn event_id=20194 | transaction startswith="connected" endswith="disconnected" by vpn_ip_address keepevicted=true | search closed_txn=0 | table vpn_user

You will need to create two extractions:
vpn_user
vpn_ip_address

vpn_user should capture the username
vpn_ip_address should capture the ip address the user is assigned

Hope it works for you!

0 Karma

araitz
Splunk Employee
Splunk Employee

The field extractions are almost certainly better done in props/transforms.conf:

sourcetype=vpn event_id=20194 
| rex "The\suser\s(?<user>\S+)\sconnected\son\sport\s(?<src_port>\S+)\son\s(?<connect_date>\S+)\sat\s(?<connect_time>\S+\s\S+)\sand\sdisconnected\son\s(?<disconnect_date>\S+)\sat\s(?<disconnect_time>\S+\s\S+)\.\s+The\suser\swas\sactive\sfor\s(?<Duration>[^\.]+)\.\s+(?<bytes_sent>\S+)\sbytes\swere\ssent\sand\s(?<bytes_received>\S+)\sbytes\swere\sreceived\.\s+The\sreason\sfor\sdisconnecting\swas\s(?<reason>[^\.]+) 
| strcat connect_date " " connect_time "Connect Date Time"
| strcat disconnect_date " " disconnect_time "Disconnect Date Time"
| stats count by "Connect Date Time" "Disconnect Date Time" Duration user
| fields "Connect Date Time" "Disconnect Date Time" Duration
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...