ASA Email Notifications - AnyConnect VPN

Occasionally I'll post something here for the sole purpose of giving myself a point of reference for future configurations, or to simply fluff my post count since they're so infrequent. That being said...

To configure email alerts for AnyConnect client activity on the ASA platform...

1. Enable logging with timestamps.

   logging enable
   logging timestamp
   

2. By default, syslog messages will mask the username in the event of a failed authentication attempt. I prefer to log the username of the failed authentication.

   no logging hide username
   

3. Create a list of syslog messages that should trigger email alerts.

   logging list VPN-EVENTS message 113005
   logging list VPN-EVENTS message 113019
   logging list VPN-EVENTS message 113039
   

   Message ID	Description
   113005	AAA authentication on a connection has failed.
   113019	AnyConnect session ended.
   113039	AnyConnect session started.

4. Define the sender and recipient addresses, referencing the configured logging list VPN-EVENTS.

   Subtitute the addresses with those that are valid for the environment.

   logging mail VPN-EVENTS
   logging from-address anyconnect@example.com
   logging recipient-address helpdesk@example.com level informational
   

5. Define the email server.

   smtp-server DMZ 172.31.222.11
   

An email will be sent to the defined recipient address whenever an AnyConnect VPN client connects, disconnects, or fails authentication.

Expand for full config example

logging enable
logging timestamp
no logging hide username

logging list VPN-EVENTS message 113005
logging list VPN-EVENTS message 113019
logging list VPN-EVENTS message 113039

logging mail VPN-EVENTS
logging from-address anyconnect@example.com
logging recipient-address helpdesk@example.com level informational

smtp-server DMZ 172.31.222.11 

Comments