How to get connected vpn users



I am new to ELK and cannot find the good way to do the following (neither the keywords to search the documentation...) :

I have an index with my ASA VPN logs.

When a user connect we get a "login" log and a "logout" log when they disconnect.

I try to make a query to get all connected users.

It seems to me that I need to build a query looking for the "login" logs where there is no "logout" logs afterward yet.
(the id to identify each log would be the username&IP of the user).

Is it possible to build such a query with elasticsearch ?

I would really appreciate if someone could tell me in what direction to look in the documentation.

Best Regards,

(Mark Harwood) #2

See List the active users using login and logged out events

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.