I know this is a little old, but I believe I've done something similar to you and the way I did this is with an iRule sending data directly to a custom syslog parser on PA.
The main issue I've found is that for whatever reason, you cannot access the VPN client IP via methods I would have thought useful (ACCESS_POLICY_AGENT_EVENT or ACCESS_POLICY_COMPLETED) as it's not available until after these events have been completed.
https://support.f5.com/kb/en-us/solutions/public/12000/700/sol12706.html
The only way I'm aware of to do this is referenced in this article
Essentially, you need to tie this iRule to your APM VIP:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if { [HTTP::uri] starts_with "/myvpn?sess=" } {
after 5000 {
set user [ACCESS::session data get "session.logon.last.username"]
set vpnip [ACCESS::session data get "session.assigned.clientip"]
log x.x.x.x "F5_PA_UID_Event uid:$user vpnip:$vpnip"
}
}
}
With this you can setup a custom syslog parser on your PA(s) and map the user to the VPN assigned IP.