Calcule elapsed time of a VPN user

Hi,
What is the best way to calculate the duration or elapsed time of a VPN user trough the logs?. I had thought of it as a timestamp difference.
Format Message:

Jun 7, 2020 @ 18:11:22.165 message:
pptp,ppp,info <pptp-vpn_xxx>: connected
type:
syslog
@version:
1
@timestamp:
Jun 7, 2020 @ 18:11:22.165
host:
xxx
tags:
_jsonparsefailure
_id:
LNyfkHIBeL2CFmRHqQub
_type:
_doc
_index:
logstash-2020.05.29-000001
_score:

Jun 7, 2020 @ 20:01:18.403 message:

pptp,ppp,info <pptp-vpn_xxx>: disconnected
type:
syslog
@version:
1
@timestamp:
Jun 7, 2020 @ 20:01:18.403
host:
xxx
tags:
_jsonparsefailure
_id:
DNwEkXIBeL2CFmRHUBUr
_type:
_doc
_index:
logstash-2020.05.29-000001
_score:

Thaks!.

You could use an aggregate filter. See example 3 in the documentation.

Make sure you set pipeline.workers to 1 and disable java_execution, otherwise events get processed out of order.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.