Cisco Anyconnect session logs convert session duration to value that can be summed up

Hi everyone,

I would like to create some statistics for anyconnect sessions.

Raw message :
<164>Jan 1 2021 12:00:00: %ASA-4-113019: Group = dfltgroup, Username = test, IP = 1.1.1.1, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:05m:06s, Bytes xmt: 718698, Bytes rcv: 1009019, Reason: User Requested

I’ve created an extractor to split the message and now have a field that looks like this : asa_anyconnect_session_duration : 0h:05m:06s

To do that I had to create a new GROK filter that looks like this :

DURATION_ANYCONNECT

((?=.)(\d+h):?(\d+m):?(\d*(\.\d+)?s)?)

Now my issue is that I would like to create a report that shows how long a user has been connected over a certain period (sum of session duration over a period of X)

Our Graylog, is running on ubuntu core 18.04.6 LTS in a 2 cluster config, running elastic 6.8.20, and a cluster of mongo DB using version 3.6.23.

any idea ?

thanks

Hello and Welcome back @thanatos

To help you further the community will need some more information about you environment. For a better understanding what we may need from you please take a look here.
Thanks

all edited

Hopefully that give enough context ?

Hello
My apologies I have over looked your post. I normally look for my name being tagged or from a reply.
Have you tried to create a widget? if so, how did you configure it?

I have not used SUM yet on a widget but I have used a percentage of session that users are logged in on the Graylog Web UI within a day. Below is the percentage of time within a day.

image1110×510 18.3 KB

For any calculation or metric I tend to use Zabbix in situation like that.

You may find what is needed here.

https://docs.graylog.org/v1/docs/widgets

hope that helps

Hi,

@gsmith Thanks for the reply and apologies for the late reply for some reason I may have missed the notification.

I guess the complexity that I am trying to solve is about the format of the data :
The data is : 0h:05m:06s

but in order to be useable I need to convert that in a time format but the H, M and S need to be removed.

So what I am looking for is how I can process the raw message as it is being ingested so that I can aggregated it over a period of time.

would it be using pipelines ?

I tried to use pipeline with a simple :
rule “test”
when
has_field(“asa_anyconnect_session_duration”)
then
let asa_duration=$message.asa_anyconnect_session_duration;
//let duration2 = regex("(\d+)h:(\d+)m:(\d+)s",to_string(asa_duration));
//set_field(“duration”, duration2);
debug(asa_duration);
end

but :

1. it doesn’t work
2. I can’t see the debug

any advises ?

thanks

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.