VPN
VPN logs provide visibility into users' remote network ingress activity and allow you to collect and verify information about user activity.
Firewall and VPN
In most cases, VPN logs can be sent along with the firewall data. Event sources in InsightIDR are marked with the data types they support, such as Cisco ASA Firewall/VPN), and parsing of the logs into their respective categories will happen automatically. Note that VPN log settings are oftentimes separate from firewall log settings.
If you have a separate VPN appliance, or if you wish to send VPN logs separate from your firewall logs, create a new VPN event source.
Ingress Activity Logs
Once VPN events are processed, you'll be able to view and query the raw events in Log Search. A new Ingress Activity Log Set is automatically added to the list, with the event source(s) nested below. Selecting this log set and applying will show VPN events, along with their geolocation data points (based on geoip lookup).
Configure VPN Event Sources
The Insight Platform supports the following types of VPN logs and collection methods:
Device Type | Can Fwd Using Syslog | Can Fwd from SIEM or Log Aggregator | Can Read Logs from Folder |
|---|---|---|---|
Cisco ASA VPN | Yes | Yes | No |
Yes | Yes | No | |
Yes | Yes | Yes | |
Microsoft Network Policy Server | Yes | Yes | Yes |
Yes | Yes | Yes | |
MobilityGuard OneGate | Yes | Yes | No |
Yes | Yes | No | |
Yes | Yes | No | |
VMware Horizon | Yes | Yes | No |
Yes | Yes | No | |
Yes | Yes | No | |
F5 Networks FirePass | Yes | Yes | No |
MobilityGuard OneGate | Yes | Yes | No |
Collect VPN logs with syslog
Before you can start to collect VPN logs with syslog, you'll need to complete the following information:
- Configure the VPN device to send syslog to the collector on a unique UDP or TCP port (above 1024).
- Document the IP address ranges the VPN appliance uses.
- Find and document the folder that contains the syslog logs from your VPN appliance.
- Ensure that this folder can be connected to as a network share by the InsightIDR collector.
- Please review specific vendor documentation on how to do this.
Microsoft VPN
Note that many Microsoft-VPN event sources have a Watch Directory collection method, which allows your Collector to pull the logs from the event source. This is often an easier collection method than syslog.