OpenVPN

VPN data allows you to track user activity while they are connected to the virtual private network, and additionally populates the location map with ingress activity.

Before You Begin

By default, some OpenVPN deployments will log to syslog automatically. Others, like OpenVPN AS, require a change to the configuration.

To enable automatic syslog logging for OpenVPN AS:

  1. Stop the OpenVPN AS service on your machine.
  2. Find the as.conf file, add SYSLOG=true to the file, and save it.
  3. Restart the service.

Rsyslog

If you are using rsyslog, you also need to enable automatically logging over TCP or UDP.

To enable automatic logging for rsyslog:

  1. Stop the service.
  2. Open the configuration file.
  3. If you are using TCP, add in @@IP:port, such as *.info @@10.10.10.1:514.
  4. If you are using UDP, add in *.info @10.10.10.1:514,
  5. Save the file, and restart the service.

You can read more information about this rsyslog configuration http://www.rsyslog.com/doc/rsyslog_conf_examples.html.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the VPN icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any Advanced Event Source Settings.
  8. Select Listen on Network Port. Enter the port you used for your syslog or rsyslog configuration.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click Save.