Sure would be nice to know if it can do this before beating my head bloody attempting it. I need a real time executive summary dash board that shows currently logged in vpn users. These two windows system event entries could be used to populate it.
Event ID 20200 and is logged by the RemoteAccess source.
The user joebob connected on port VPN5-127 has been assigned address 192.168.1.12
Event ID 20201 and is logged by the RemoteAccess source.
The user with ip address 192.168.1.12 has disconnected
We can show Joe connected and at what time but will need to track events 20201 watching for his ip address so we can drop him from the list. This is only the start though. If I click Joe while he's connected I want to see a summary of his activity for the last thirty days. Not the raw log entries but another dashboard or form etc that weeds out all the unnecessary stuff in the message below and reports the facts.
This event is ID 20194 and is logged by the RemoteAccess source.
The user joebob connected on port VPN5-127 on 11/2/2010 at 10:51 PM and disconnected on 11/2/2010 at 11:06 PM. The user was active for 14 minutes 20 seconds. 15692270 bytes were sent and 873906 bytes were received. The reason for disconnecting was user request.
A table showing the last X days like this would be great.
Connect Date Time ------ Disconnect Date Time ---- Duration
11/02/2010 10:50 PM -- 11/03/2010 01:30 AM ------ 3 hrs 50 min
11/03/2010 09:30 PM -- 11/04/2010 12:10 AM ------ 2 hrs 40 min
What do you folk's think?
sourcetype=vpn event_id=20194 | transaction startswith="connected" endswith="disconnected" by vpn_ip_address keepevicted=true | search closed_txn=0 | table vpn_user
You will need to create two extractions:
vpn_user
vpn_ip_address
vpn_user should capture the username
vpn_ip_address should capture the ip address the user is assigned
Hope it works for you!
The field extractions are almost certainly better done in props/transforms.conf:
sourcetype=vpn event_id=20194
| rex "The\suser\s(?<user>\S+)\sconnected\son\sport\s(?<src_port>\S+)\son\s(?<connect_date>\S+)\sat\s(?<connect_time>\S+\s\S+)\sand\sdisconnected\son\s(?<disconnect_date>\S+)\sat\s(?<disconnect_time>\S+\s\S+)\.\s+The\suser\swas\sactive\sfor\s(?<Duration>[^\.]+)\.\s+(?<bytes_sent>\S+)\sbytes\swere\ssent\sand\s(?<bytes_received>\S+)\sbytes\swere\sreceived\.\s+The\sreason\sfor\sdisconnecting\swas\s(?<reason>[^\.]+)
| strcat connect_date " " connect_time "Connect Date Time"
| strcat disconnect_date " " disconnect_time "Disconnect Date Time"
| stats count by "Connect Date Time" "Disconnect Date Time" Duration user
| fields "Connect Date Time" "Disconnect Date Time" Duration