Occasionally I'll post something here for the sole purpose of giving myself a point of reference for future configurations, or to simply fluff my post count since they're so infrequent. That being said...
To configure email alerts for AnyConnect client activity on the ASA platform...
Enable logging with timestamps.
logging enable
logging timestamp
By default, syslog messages will mask the username in the event of a failed authentication attempt. I prefer to log the username of the failed authentication.
no logging hide username
Create a list of syslog messages that should trigger email alerts.
logging list VPN-EVENTS message 113005
logging list VPN-EVENTS message 113019
logging list VPN-EVENTS message 113039
| Message ID | Description |
|---|---|
| 113005 | AAA authentication on a connection has failed. |
| 113019 | AnyConnect session ended. |
| 113039 | AnyConnect session started. |
Define the sender and recipient addresses, referencing the configured logging list VPN-EVENTS.
Note: Subtitute the addresses with those that are valid for the environment.
logging mail VPN-EVENTS
logging from-address anyconnect@example.com
logging recipient-address helpdesk@example.com level informational
Define the email server.
smtp-server DMZ 172.31.222.11
An email will be sent to the defined recipient address whenever an AnyConnect VPN client connects, disconnects, or fails authentication.
Expand for full config example
logging enable
logging timestamp
no logging hide username
logging list VPN-EVENTS message 113005
logging list VPN-EVENTS message 113019
logging list VPN-EVENTS message 113039
logging mail VPN-EVENTS
logging from-address anyconnect@example.com
logging recipient-address helpdesk@example.com level informational
smtp-server DMZ 172.31.222.11
