I am trying to figure out the best way to log user vpn connections to our ASA. I have set up a Graylog server (very new to Graylog) with the intention of using this, but am having trouble filtering for just these connections (really the only thing currently of interest). Authentication is happening via RADIUS (NPS Windows Server 2012) and I've considered this as another avenue for tracking logins and outs.
The parts that are making this a little more confusing is that we have a site to site vpn connection that is also IPSEC and we also use the same radius server to authenticate our BYOD network so there are more events than I can sift through by hand to find the correct IDs. I'm just not sure which events I should be filtering for or how to go about this, either with the logs directly from Windows Server NPS or from Graylog.
edit
And just as a note I've found the logs for NPS but the files are a pain to open and parse / search (but I CAN find the info I need) unless someone has a better solution for that as well
No comments:
Post a Comment