Occasionally I'll post something here for the sole purpose of giving myself a point of reference for future configurations, or to simply fluff my post count since they're so infrequent. That being said...
To configure email alerts for AnyConnect client activity on the ASA platform...
Enable logging with timestamps.
logging enable logging timestamp
By default, syslog messages will mask the username in the event of a failed authentication attempt. I prefer to log the username of the failed authentication.
no logging hide username
Create a list of syslog messages that should trigger email alerts.
logging list VPN-EVENTS message 113005 logging list VPN-EVENTS message 113019 logging list VPN-EVENTS message 113039
|113005||AAA authentication on a connection has failed.|
|113019||AnyConnect session ended.|
|113039||AnyConnect session started.|
Define the sender and recipient addresses, referencing the configured logging list
Note: Subtitute the addresses with those that are valid for the environment.
logging mail VPN-EVENTS logging from-address email@example.com logging recipient-address firstname.lastname@example.org level informational
Define the email server.
smtp-server DMZ 172.31.222.11
An email will be sent to the defined recipient address whenever an AnyConnect VPN client connects, disconnects, or fails authentication.
full config example
logging enable logging timestamp no logging hide username logging list VPN-EVENTS message 113005 logging list VPN-EVENTS message 113019 logging list VPN-EVENTS message 113039 logging mail VPN-EVENTS logging from-address email@example.com logging recipient-address firstname.lastname@example.org level informational smtp-server DMZ 172.31.222.11