Scribd
Upload
394 views1 page

Splunk Queiries

This document contains log messages and filters to analyze VPN usage and activity. It includes logins and sessions for WebVPN, IPSec VPN, and AnyConnect VPN by user, group, and disconnect reasons. Charts can be created to count logins by user or group and measure bandwidth usage. Failed login attempts and different session events are also logged.

Uploaded by

jfrederickson7384
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
394 views1 page

Splunk Queiries

This document contains log messages and filters to analyze VPN usage and activity. It includes logins and sessions for WebVPN, IPSec VPN, and AnyConnect VPN by user, group, and disconnect reasons. Charts can be created to count logins by user or group and measure bandwidth usage. Failed login attempts and different session events are also logged.

Uploaded by

jfrederickson7384
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 1

WebVPN Logins - by user %ASA-6-716001 | rex field=_raw "Group <(?<group>.* )> User <(?<vpn_user>.

*)> IP <" | chart count by vpn_user WebVPN Logins - by grou %ASA-6-716001 | rex field=_raw "Group <(?<group>.* )> User <(?<vpn_user>.*)> IP <" | chart count by group VPN Traffic by User %ASA-4-113019 | rex field=_raw "Bytes xmt: (?< tx>.*), Bytes rcv: (?<rx>.*), Reason" | rex field=_raw "Username = (?<username>. *), IP" | chart eval(round((sum(tx) / 1048576),2)) as total_tx_MB eval(round((su m(rx) / 1048576),2)) as total_rx_MB over username VPN Disconnect Reasons %ASA-4-113019 | rex field=_raw "Reason: (?<reason> .*)" | chart count by reason IPSec VPN Login - By User - %ASA-5-713049 | rex field=_raw "Group = (?<group_n ame>.*), Username = (?<vpn_user>.*), IP" | chart count by vpn_user IPSec VPN Login - By Group - %ASA-5-713049 | rex field=_raw "Group = (?<group_n ame>.*), Username = (?<vpn_user>.*), IP" | chart count by group_name AnyConnect Login - by group - %ASA-6-113039 | rex field=_raw "User <(?<vpn_user> .*)> IP" | chart count by vpn_user AnyConnect Login - by user - %ASA-6-113039 | rex field=_raw "Group <(?<group_na me>.*)> User" | chart count by group_name Failed VPN Login attemps %ASA-6-113005 OR %ASA-6-113015 | rex field=_ra w ": reason = (?<reason>.*) : (?<database>.*) : user = (?<vpn_user>.*)" | chart count by vpn_user

%ASA-6-113015 - WebVPN Failed password %ASA-6-113005 - IPsec Client failed, also Anyconnect? IPSec Session started %ASA-5-713049 Session disconnected - %ASA-5-713050 WebVPN Session started %ASA-6-716001 Session disconnected - %ASA-6-716002 AnyConnect Session started - %ASA-6-113039 Session disconnected - %ASA-6-716002 %ASA-4-113019 Disconnect for all kinds, shows bandwidth, duration, etc

You might also like