Forum Discussion

RyanDM2_175490's avatar
RyanDM2_175490
Icon for Nimbostratus rankNimbostratus
Sep 13, 2016
Solved

Log user activity

User reports that he has logged into vpn 4 times in one week, an hour for 3 sessions, and 2 hours for one session.

 

Can this activity be logged? Reported on?

 

  • By default most of this should be logged already, session established messages, usernames, tunnel start, tunnel end.

     

    Look at the syslog output or the file /var/log/apm while you connect a test user and see if the information you're after is there. Each log message will have a session ID used for correlation.

     

3 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    By default most of this should be logged already, session established messages, usernames, tunnel start, tunnel end.

     

    Look at the syslog output or the file /var/log/apm while you connect a test user and see if the information you're after is there. Each log message will have a session ID used for correlation.

     

    • RyanDM2_175490's avatar
      RyanDM2_175490
      Icon for Nimbostratus rankNimbostratus

      Thanks. I assume that the if I am sending logging to a SIEM, that it should be able to parse out session length for users.

       

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account

      Temporally, yes. That's just a matter of subtracting the timestamps.

       

      Alternatively you could use the irule ACCESS_SESSION_COMPLETED event that fires when a session is destroyed, and subtract "session.user.starttime" from the current unix epoch time, then convert that to a human-readable value and log the result.

       

      Helpfully APM will also log the bytes in/out for that user session.