Forum Discussion
RyanDM2_175490
Nimbostratus
NimbostratusLog user activity
User reports that he has logged into vpn 4 times in one week, an hour for 3 sessions, and 2 hours for one session.
Can this activity be logged? Reported on?
By default most of this should be logged already, session established messages, usernames, tunnel start, tunnel end.
Look at the syslog output or the file /var/log/apm while you connect a test user and see if the information you're after is there. Each log message will have a session ID used for correlation.
By default most of this should be logged already, session established messages, usernames, tunnel start, tunnel end.
Look at the syslog output or the file /var/log/apm while you connect a test user and see if the information you're after is there. Each log message will have a session ID used for correlation.
RyanDM2_175490Thanks. I assume that the if I am sending logging to a SIEM, that it should be able to parse out session length for users.
Temporally, yes. That's just a matter of subtracting the timestamps.
Alternatively you could use the irule ACCESS_SESSION_COMPLETED event that fires when a session is destroyed, and subtract "session.user.starttime" from the current unix epoch time, then convert that to a human-readable value and log the result.
Helpfully APM will also log the bytes in/out for that user session.