SSL VPN event logging...

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL VPN event logging...

L2 Linker

Does the Global Protect functionality produce logs that can be then forwarded to a remote syslog server?

 

8 REPLIES 8

Cyber Elite
Cyber Elite

@megrez80,

Yes. How you would go about doing so is slightly different due to the recent changes to log location in 9.1+ for GlobalProtect, but you have forwarding options across every release. What exactly are you looking to forward, and what what release are you actively running? 

I want to get connect/disconnect events and possibly session statistics.

 

I'm currently on 9.1.0-h3.

 

@megrez80,

Are you actually still running 9.1.0? If so, I would migrate to a newer release so you get some of those all important bug fixes from that initial release.

 

More directly to your question, under your device Log Settings you would want to add entries under the GlobalProtect logs. You would simply want an entry to capture the login/logout stage, as the logout event will include the login duration field which is measured in seconds. 

((stage eq login) or (stage eq logout)) and not (auth_method eq Cookie)

Note that I've selected to not show Cookie authentications, but whether or not you include that statement is up to you and your configuration. Arguably, if your syslog server has enough space you might want to just not include a filter and keep 'All Logs' specified so your syslog server gets everything, but that may not be needed in your case. 

I got vpn event syslog forwarding to work with the configuration step you specified, but the Syslog Server Profile I used had to also be associated with a Log Forwarding Profile. In the Log Forwarding Profile where you specify the Log Type (eg. auth, traffic, tunnel) it did not matter what I used.

 

 

@megrez80,

The wording of your post above was kind of garbled. Are you still having an issue with this or are you good at this point? 

Sorry for the confusion. It's working, regardless of the Log Forwarding Profile Log Type specified.

So now that it's working, I'd like to be able to send thru an IPsec tunnel to a collector on the other end.

I have set my SysLog Server profile with the target IP address, but the logs aren't getting into the tunnel.

 

Is there a trick to accomplish this?

It's now getting into the tunnel. I had to set a source interface/address on the syslog service route.

 

  • 6204 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!