VPN

VPN logs provide visibility into users' remote network ingress activity and allow you to collect and verify information about user activity.

Firewall and VPN

In most cases, VPN logs can be sent along with the firewall data. Event sources in InsightIDR are marked with the data types they support, such as Cisco ASA Firewall/VPN), and parsing of the logs into their respective categories will happen automatically. Note that VPN log settings are oftentimes separate from firewall log settings.

If you have a separate VPN appliance, or if you wish to send VPN logs separate from your firewall logs, create a new VPN event source.

Ingress Activity Logs

Once VPN events are processed, you'll be able to view and query the raw events in Log Search. A new Ingress Activity Log Set is automatically added to the list, with the event source(s) nested below. Selecting this log set and applying will show VPN events, along with their geolocation data points (based on geoip lookup).

Configure VPN Event Sources

The Insight Platform supports the following types of VPN logs and collection methods:

Device Type

Can Fwd Using Syslog

Can Fwd from SIEM or Log Aggregator

Can Read Logs from Folder

Cisco ASA VPN

Yes

Yes

No

Pulse Connect Secure

Yes

Yes

No

Microsoft IAS (RADIUS)

Yes

Yes

Yes

Microsoft Network Policy Server

Yes

Yes

Yes

Microsoft Remote Web Access

Yes

Yes

Yes

MobilityGuard OneGate

Yes

Yes

No

NetScaler VPN

Yes

Yes

No

OpenVPN

Yes

Yes

No

VMware Horizon

Yes

Yes

No

Barracuda SSL VPN

Yes

Yes

No

Cisco ASC VPN

Yes

Yes

No

F5 Networks FirePass

Yes

Yes

No

MobilityGuard OneGate

Yes

Yes

No

Collect VPN logs with syslog

Before you can start to collect VPN logs with syslog, you'll need to complete the following information:

  1. Configure the VPN device to send syslog to the collector on a unique UDP or TCP port (above 1024).
  2. Document the IP address ranges the VPN appliance uses.
  3. Find and document the folder that contains the syslog logs from your VPN appliance.
  4. Ensure that this folder can be connected to as a network share by the InsightIDR collector.
    • Please review specific vendor documentation on how to do this.

Microsoft VPN

Note that many Microsoft-VPN event sources have a Watch Directory collection method, which allows your Collector to pull the logs from the event source. This is often an easier collection method than syslog.