So after reviewing a number of Q&As on this site, I created the following search to track currently logged on VPN users:
source="vpn.log" EventType="BROKER_USERLOGGEDIN" | eval n=strftime(_time, "%d-%m-%Y %H:%M:%S") | join UserDisplayName [ search source="vpn.log" EventType="BROKER_MACHINE_ALLOCATED" ] | search NOT [search source="vpn.log" EventType="BROKER_USERLOGGEDOUT" | table UserDisplayName] | iplocation ClientIpAddress | table n,UserDisplayName, MachineName, ClientIpAddress, Country
This gives me a very nice table of users currently logged on, when they logged on, machine name, remote IP and the country of the IP.
BUT there is a flaw. If, during the time parameters of the search, a user logs on, logs off, then logs back on, that user is not shown in the final table even though they are currently logged on.
How do I correct that problem? Ideally, I could use some sort of session ID, but our VPN doesn't provide that in a log.
Thanks
↧