VPN

VPN logs provide visibility into users' remote network ingress activity and allow you to collect and verify information about user activity.

Firewall and VPN

In most cases, VPN logs can be sent along with the firewall data. Event sources in InsightIDR are marked with the data types they support, such as Cisco ASA Firewall/VPN), and parsing of the logs into their respective categories will happen automatically. Note that VPN log settings are oftentimes separate from firewall log settings.

If you have a separate VPN appliance, or if you wish to send VPN logs separate from your firewall logs, create a new VPN event source.

Ingress Activity Logs

Once VPN events are processed, you'll be able to view and query the raw events in Log Search. A new Ingress Activity Log Set is automatically added to the list, with the event source(s) nested below. Selecting this log set and applying will show VPN events, along with their geolocation data points (based on geoip lookup).

Configure VPN Event Sources

The Insight Platform supports the following types of VPN logs and collection methods:

InsightIDR also supports:

  • Fortinet FortiGate
  • SonicWALL Firewall & VPN

Collect VPN logs with syslog

Before you can start to collect VPN logs with syslog, you'll need to complete the following information:

  1. Configure the VPN device to send syslog to the collector on a unique UDP or TCP port (above 1024).
  2. Document the IP address ranges the VPN appliance uses.
  3. Find and document the folder that contains the syslog logs from your VPN appliance.
  4. Ensure that this folder can be connected to as a network share by the InsightIDR collector.
    • Please review specific vendor documentation on how to do this.

Microsoft VPN

Note that many Microsoft-VPN event sources have a Watch Directory collection method, which allows your Collector to pull the logs from the event source. This is often an easier collection method than syslog.