So I have two searches; one for the client_vpn_asa and one for the nac, they both require regex:
index=client_vpn_asa "ASA-4-722051" | rex field=_raw ".*?ASA-4-722051: Group \<(?<Group>.*?)\> User \<(?<username>.*?)\> IP \<(?<Source_IP>\\d+.\\d+.\\d+.\\d+)\> Address \<(?<Framed_IP>\\d+.\\d+.\\d+.\\d+)\> assigned to session" | fields + _time, host, Group, username, Source_IP, Framed_IP | fields - "_cd","_indextime","_kv","_raw","_serial","_si","_sourcetype"
and
index=nac | rex field=_raw "(?P<Source_IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=_raw "(?P<username>\w{1,30}\\\.\S+)" | rex field=_raw "(?P<email_addr>\S+@\S+)" | eval analysis=if(isnull(username),0,1) | eval user=case(analysis=="0", email_addr, analysis=="1", username)
I tried "join username [search index=nac......]" didn't work right.
What I want to do is see how long it takes a user to hit the ASA, get authenticated and then be authorized by the NAC...what is the total time of that transaction by user.
... View more