OpenVPN
VPN data allows you to track user activity while they are connected to the virtual private network, and additionally populates the location map with ingress activity.
Before You Begin
By default, some OpenVPN deployments will log to syslog automatically. Others, like OpenVPN AS, require a change to the configuration.
To enable automatic syslog logging for OpenVPN AS:
- Stop the OpenVPN AS service on your machine.
- Find the
as.conffile, addSYSLOG=trueto the file, and save it. - Restart the service.
Rsyslog
If you are using rsyslog, you also need to enable automatically logging over TCP or UDP.
To enable automatic logging for rsyslog:
- Stop the service.
- Open the configuration file.
- If you are using TCP, add in
@@IP:port, such as*.info @@10.10.10.1:514. - If you are using UDP, add in
*.info @10.10.10.1:514, - Save the file, and restart the service.
You can read more information about this rsyslog configuration http://www.rsyslog.com/doc/rsyslog_conf_examples.html.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for OpenVPN in the event sources search bar.
- In the Product Type filter, select VPN.
- Select the OpenVPN event source tile.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Configure your default domain and any Advanced Event Source Settings.
- Select Listen on Network Port. Enter the port you used for your syslog or rsyslog configuration.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.