Remote Access VPN Log Formats
The Cisco Secure Access remote access virtual private network (VPN) logs show the VPN session connection events, which are managed by the Secure Access VPN services. Some relevant fields to aid debugging and trouble-shooting VPN sessions include:
- Display Username for Failed Events – Significantly improves how quickly issues can be tracked and addressed.
- ASA Syslog Message ID Extraction Support – Offers detailed insights by identifying the specific sys-log messages used in the remote access logs.
- Device ID – Includes the device ID with every event, providing critical help to network administrators in numerous ways.
- Failed Events for Posture – Provides vital information for effective triage during failed connection attempts.
For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Examples
Connect VPN Log Sample
A sample Secure Access VPN log that describes a CONNECTED event.
anyConnectVersion,awsRegion,eventType,failedReasons,hostname,mspOrganizationId,organizationId,originId,originType,retentionDays,storageLocation,userId,osVersion,session,assignedIp,connectedAt,disconnectionReason,id,publicIp,sessionType,vpnProfile,timestamp
5.0.02075,us-east-1a,"CONNECTED","",sfcn-cnfwentry-enforcer-7bb6b8b4cb-tg7pk,"",8146831,1234828840,7,365,us,[email protected],Windows 10.0.22621,com.cisco.umbrella.sfcn.ravpn.Session,10.10.0.1,"","",3,64.103.40.29,TLS,Okta1,2023-09-13T11:53:44Z
Disconnect VPN Log Sample
A sample Secure Access VPN log that describes a DISCONNECTED event.
anyConnectVersion,awsRegion,eventType,failedReasons,hostname,mspOrganizationId,organizationId,originId,originType,retentionDays,storageLocation,userId,osVersion,session,assignedIp,connectedAt,disconnectionReason,id,publicIp,sessionType,vpnProfile,timestamp
5.0.02075,us-east-1a,"DISCONNECTED","",sfcn-cnfwentry-enforcer-7bb6b8b4cb-tg7pk,"",8146831,1234828840,7,365,us,[email protected],Windows 10.0.22621,com.cisco.umbrella.sfcn.ravpn.Session,10.10.0.1,2023-09-13T11:53:44Z,User Requested,3,64.103.40.29,TLS,Okta1,2023-09-13T11:54:08Z
Authorization Check Failure VPN Log Sample
A sample Secure Access VPN log that describes an AUTHORIZATION-CHECK event.
anyConnectVersion,awsRegion,eventType,failedReasons,hostname,mspOrganizationId,organizationId,originId,originType,retentionDays,storageLocation,userId,osVersion,session,assignedIp,connectedAt,disconnectionReason,id,publicIp,sessionType,vpnProfile,timestamp
"",us-east-1a,FAILED,"AUTHORIZATION-CHECK",sfcn-cnfwentry-enforcer-7bb6b8b4cb-tg7pk,"",8146831,"","",365,us,[email protected],"",2023-09-13T11:51:53Z
Certificate Authorization Check Failure VPN Log Sample
A sample Secure Access VPN log that describes a CERT-AUTH-CHECK event.
anyConnectVersion,awsRegion,eventType,failedReasons,hostname,mspOrganizationId,organizationId,originId,originType,retentionDays,storageLocation,userId,osVersion,session,assignedIp,connectedAt,disconnectionReason,id,publicIp,sessionType,vpnProfile,timestamp
"",us-east-1a,FAILED,"CERT-AUTH-CHECK",sfcn-cnfwentry-enforcer-7bb6b8b4cb-tg7pk,"",8146831,"","",365,us,"","","",2023-09-13T12:05:05Z
Order of Fields in the RAVPN Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string (""
) in the log.
V9 Log Format
The CSV fields in the header row of the RAVPN logs.
timestamp,hostname,aws region,event type,origin ids,origin type,user id,organization id,retention days,storage location,msp organization,session id,session type,vpn profile,public ip,assigned ip,connected at,disconnection reason,os version,anyconnect version
-
timestamp—The date and time of the VPN event, expressed as a UTC-formatted string.
-
hostname—The fully-qualified domain name (FQDN) of the user device or virtual machine (VM) that generates the events.
-
aws region—The AWS region that stores your VPN logs.
-
event type—The label that describes the type of event. Valid values are: CONNECTED, DISCONNECTED, FAILED, or UNKNOWN.
-
origin ids—The internal IP address of the device that connected to the Secure Access remote VPN services.
-
origin type—The type of device connected to the Secure Access VPN services.
-
user id—The ID of the VPN user. The ID is the email address associated with the user account.
-
organization id—The Secure Access organization ID.
-
retention days—The number of days that AWS S3 stores your Secure Access VPN log.
-
storage location—The two-character label that identifies the location of your Cisco-managed VPN logs. Configure the storage location on Secure Access for your organization. The storage location options are: eu or us.
-
msp organization—The Secure Access managed organization ID.
-
session id—The unique ID of the VPN session.
-
session type—The protocol used by the device with the VPN session, for example: TLS.
-
vpn profile—The name of the VPN connection profile that establishes a VPN session.
-
public ip—The public IP address of the device with the Cisco Secure Client and VPN module.
-
assigned ip—The IP address assigned to the device with the Cisco Secure Client and VPN module.
-
connected at—The date and time of the start of the initial CONNECTED VPN event for a DISCONNECTED event expressed in milliseconds as a UTC-formatted string.
-
disconnection reason—The description of the VPN disconnected event. The value is
null
for other event types. -
os version—The type and version of the user device's operating system.
-
anyConnect version—The version of the Cisco Secure Client with the VPN module.
IPS Log Formats < Remote Access VPN Log Formats > Web Log Formats
Updated 6 months ago