VPN data allows you to track user activity while they are connected to the virtual private network, and additionally populates the location map with ingress activity.
Before You Begin
By default, some OpenVPN deployments will log to syslog automatically. Others, like OpenVPN AS, require a change to the configuration. For OpenVPN AS, add the following text the file `as.conf:
Then, restart the service.
When using rsyslog, the logging should be set to
*.info and should look similar to the following:
*.info @@10.10.10.1:514 for TCP and
*.info @10.10.10.1:514 for UDP, where
:514 is the port you will use in the InsightOps event source. You can read more information about this rsyslog configuration here.
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu
- At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source
- Select the VPN icon from the Security Data section
- Select your collector, and optionally name your event source
- From the list of event source options, choose OpenVPN
- Choose a timezone, or optionally choose a US timezone
- Optionally choose to send unfiltered logs
- Configure any advanced event source settings.
- Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
- If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called
Rapid7CA.pemand will allow InsightOps and OpenVPN to "trust" each other during log forwarding.
Advanced Event Source Settings
Inactivity Timeout Threshold: specify in minutes how long the event source should be inactive before it enters an error state. Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.
For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is
company.com, your fallback domain could be
company.ca, which would allow InsightOps to more accurately attribute data to the correct user.