SSL VPN event logging...

Reply
Highlighted
L2 Linker

SSL VPN event logging...

Does the Global Protect functionality produce logs that can be then forwarded to a remote syslog server?

 

Highlighted
Cyber Elite

@megrez80,

Yes. How you would go about doing so is slightly different due to the recent changes to log location in 9.1+ for GlobalProtect, but you have forwarding options across every release. What exactly are you looking to forward, and what what release are you actively running? 

Highlighted
L2 Linker

I want to get connect/disconnect events and possibly session statistics.

 

I'm currently on 9.1.0-h3.

 

Highlighted
Cyber Elite

@megrez80,

Are you actually still running 9.1.0? If so, I would migrate to a newer release so you get some of those all important bug fixes from that initial release.

 

More directly to your question, under your device Log Settings you would want to add entries under the GlobalProtect logs. You would simply want an entry to capture the login/logout stage, as the logout event will include the login duration field which is measured in seconds. 

((stage eq login) or (stage eq logout)) and not (auth_method eq Cookie)

Note that I've selected to not show Cookie authentications, but whether or not you include that statement is up to you and your configuration. Arguably, if your syslog server has enough space you might want to just not include a filter and keep 'All Logs' specified so your syslog server gets everything, but that may not be needed in your case. 

Highlighted
L2 Linker

I got vpn event syslog forwarding to work with the configuration step you specified, but the Syslog Server Profile I used had to also be associated with a Log Forwarding Profile. In the Log Forwarding Profile where you specify the Log Type (eg. auth, traffic, tunnel) it did not matter what I used.

 

 

Highlighted
Cyber Elite

@megrez80,

The wording of your post above was kind of garbled. Are you still having an issue with this or are you good at this point? 

Highlighted
L2 Linker

Sorry for the confusion. It's working, regardless of the Log Forwarding Profile Log Type specified.

Highlighted
L2 Linker

So now that it's working, I'd like to be able to send thru an IPsec tunnel to a collector on the other end.

I have set my SysLog Server profile with the target IP address, but the logs aren't getting into the tunnel.

 

Is there a trick to accomplish this?

Highlighted
L2 Linker

It's now getting into the tunnel. I had to set a source interface/address on the syslog service route.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!