Remote Access VPN Log Formats
The Cisco Secure Access remote access virtual private network (VPN) logs show the VPN session connection events, which are managed by the Secure Access VPN services. Some relevant fields to aid debugging and trouble-shooting VPN sessions include:
- Display Username for Failed Events – Significantly improves how quickly issues can be tracked and addressed.
- ASA Syslog Message ID Extraction Support – Offers detailed insights by identifying the specific sys-log messages used in the remote access logs.
- Device ID – Includes the device ID with every event, providing critical help to network administrators in numerous ways.
- Failed Events for Posture – Provides vital information for effective triage during failed connection attempts.
For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Examples
An example v10 Secure Access VPN log of a CONNECTED event.
timestamp,hostname,aws region,event type,origin ids,origin type,user id,organization id,retention days,storage location,msp organization id,session id,session type,vpn profile,public ip,assigned ip,connected at,disconnection reason,os version,anyconnect version,asa syslog id,device id,machine id,public ipv6,assigned ipv6,security group tag,dap record name,dap connection type,failed reasons
"2024-09-11 21:40:51","hostname-example","us-east-1","CONNECTED","[1296793508]","7","example-userid","8236318","365","us","","1486","IKEv2","CiscoSecureAccessVPN","24.123.132.133","10.10.1.100","","","Mac OS X 14.6.1","5.1.2.42","ASA-5-109201","DEVICE-M-L9XH","","n/a","n/a","10","","","[]"
An example v10 Secure Access VPN log of a DISCONNECTED event.
timestamp,hostname,aws region,event type,origin ids,origin type,user id,organization id,retention days,storage location,msp organization id,session id,session type,vpn profile,public ip,assigned ip,connected at,disconnection reason,os version,anyconnect version,asa syslog id,device id,machine id,public ipv6,assigned ipv6,security group tag,dap record name,dap connection type,failed reasons
"2024-09-11 22:28:52","hostname-example","us-east-1","DISCONNECTED","[1290579891]","7","example-userid","8236318","365","us","","1476","TLS","CiscoSecureAccessVPN","24.123.132.133","10.10.1.100","2024-09-11T19:54:05Z","User Requested","Mac OS X 14.6.1","5.0.05040","ASA-4-113019","DEVICE-M-F1PG","","n/a","n/a","10","","","[]"
An example v10 Secure Access VPN log of a failed AUTHORIZATION-CHECK event.
timestamp,hostname,aws region,event type,origin ids,origin type,user id,organization id,retention days,storage location,msp organization id,session id,session type,vpn profile,public ip,assigned ip,connected at,disconnection reason,os version,anyconnect version,asa syslog id,device id,machine id,public ipv6,assigned ipv6,security group tag,dap record name,dap connection type,failed reasons
"2024-09-11 21:40:51","hostname-example","us-east-1","FAILED","[1296793508]","7","example-userid","8236318","365","us","","1486","IKEv2","CiscoSecureAccessVPN","24.123.132.133","10.10.1.100","","","Mac OS X 14.6.1","5.1.2.42","ASA-5-109201","DEVICE-M-L9XH","","n/a","n/a","10","","","["AUTHORIZATION-CHECK"]"
An example Secure Access VPN log of a failed CERT-AUTH-CHECK event.
timestamp,hostname,aws region,event type,origin ids,origin type,user id,organization id,retention days,storage location,msp organization id,session id,session type,vpn profile,public ip,assigned ip,connected at,disconnection reason,os version,anyconnect version,asa syslog id,device id,machine id,public ipv6,assigned ipv6,security group tag,dap record name,dap connection type,failed reasons
"2024-09-11 21:40:51","hostname-example","us-east-1","FAILED","[1296793508]","7","example-userid","8236318","365","us","","1486","IKEv2","CiscoSecureAccessVPN","24.123.132.133","10.10.1.100","","","Mac OS X 14.6.1","5.1.2.42","ASA-5-109201","DEVICE-M-L9XH","","n/a","n/a","10","","","["CERT-AUTH-CHECK"]"
Order of Fields in the RAVPN Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Format
The CSV fields in the header row of the RAVPN logs.
timestamp,hostname,aws region,event type,origin ids,origin type,user id,organization id,retention days,storage location,msp organization id,session id,session type,vpn profile,public ip,assigned ip,connected at,disconnection reason,os version,anyconnect version,asa syslog id,device id,machine id,public ipv6,assigned ipv6,security group tag,dap record name,dap connection type,failed reasons
The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the RAVPN event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v9 |
| hostname | The fully-qualified domain name (FQDN) of the user device or virtual machine (VM) that generates the events. | v9 |
| aws region | The AWS region that stores your VPN logs. | v9 |
| event type | The label that describes the type of event. Valid values are: CONNECTED, DISCONNECTED, FAILED, or UNKNOWN. | v9 |
| origin ids | The internal IP address of the device that connected to the Secure Access remote VPN services. | v9 |
| origin type | The type of device connected to the Secure Access VPN services. | v9 |
| user id | The ID of the VPN user. The ID is the email address associated with the user account. | v9 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID . | v9 |
| retention days | The number of days that AWS S3 stores your Secure Access VPN log. | v9 |
| storage location | The two-character label that identifies the location of your Cisco-managed VPN logs. Configure the storage location on Secure Access for your organization. The storage location options are: eu or us. | v9 |
| msp organization id | The Secure Access managed organization ID. | v9 |
| session id | The unique ID of the VPN session. | v9 |
| session type | The protocol used by the device with the VPN session, for example: TLS. | v9 |
| vpn profile | The name of the VPN connection profile that establishes a VPN session. | v9 |
| public ip | The public IP address of the device with the Cisco Secure Client and VPN module. | v9 |
| assigned ip | The IP address assigned to the device with the Cisco Secure Client and VPN module. | v9 |
| connected at | The date and time of the start of the initial CONNECTED VPN event for a DISCONNECTED event expressed in milliseconds as a UTC-formatted string. | v9 |
| disconnection reason | The description of the VPN disconnected event. The value is null for other event types. | v9 |
| os version | The type and version of the user device's operating system. | v9 |
| anyconnect version | The version of the Cisco Secure Client with the VPN module. | v9 |
| asa syslog id | The ID of the Cisco ASA syslog used to generate this log event. | v10 |
| device id | The ID of the device with the Cisco Secure Client and VPN module. | v10 |
| machine id | The ID of the client machine used for authentication. | v10 |
| public ipv6 | The public IP v6 address of the device with the Cisco Secure Client and VPN module. | v10 |
| assigned ipv6 | The IP v6 address assigned to the device with the Cisco Secure Client and VPN module. | v10 |
| security group tag | Security group tag matched as a source by a rule. | v10 |
| dap record name | The posture profile assessed by Cisco Secure Client HostScan. | v10 |
| dap connection type | The RAVPN session connection type. | v10 |
| failed reasons | The error codes for failed remote connection requests. | v10 |
IPS Log Formats < Remote Access VPN Log Formats > Web Log Formats
Updated about 1 month ago