Cisco AnyConnect VPN
Cisco ASA AnyConnect SSL VPN — session lifecycle from RADIUS authentication through tunnel establishment, IP assignment, DAP policy evaluation, session roaming between gateways, to graceful disconnection.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/vpn-cisco-anyconnect/generator.yml \
--id vpn \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| 722022 | SVC Tunnel Established | ~20.1% | network |
| 722023 | SVC Tunnel Terminated | ~19% | network |
| 113039 | AnyConnect Session Started | ~11.2% | network |
| 722051 | IPv4 Address Assigned | ~11.2% | network |
| 734001 | DAP Records Selected | ~11.2% | authentication |
| 113004 | AAA Auth Successful | ~11.2% | authentication |
| 113019 | Session Disconnected with Stats | ~6.7% | network |
| 716002 | WebVPN Session Terminated | ~5.6% | network |
| 716058 | Session Lost Connection | ~1.7% | network |
| 716059 | Session Resumed from New IP | ~1.3% | network |
| 113005 | AAA Auth Rejected | ~0.9% | authentication |
Realism Features
- Correlated VPN sessions — session start (113039) produces context consumed by disconnect (113019)
- Correlated tunnels — established (722022) and terminated (722023) share protocol and user
- Session roaming — lost sessions (716058) correlated with resume (716059), 40% IP change
- Disconnect reasons — User Requested (45%), Idle Timeout (25%), Max Time Exceeded (8%)
- 12 Cisco Secure Client versions across Windows, macOS, and Linux
- Multiple tunnel groups and group policies — CorpVPN, EMPLOYEE_VPN, CONTRACTOR_VPN
Sample Output
{
"@timestamp": "2026-02-21T14:32:18.000000+00:00",
"event": {
"action": "client-vpn-connected",
"category": ["network", "session"],
"code": "113039",
"dataset": "cisco_asa.log",
"outcome": "success"
},
"source": {
"ip": "198.51.100.42",
"user": { "group": { "name": "GP_AnyConnect" }, "name": "jsmith" }
},
"observer": {
"hostname": "ASA-FW-01",
"product": "asa",
"type": "firewall",
"vendor": "Cisco"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | ASA-FW-01 | ASA device hostname |
| domain | corp.example.com | Domain for FQDN |
| vpn_pool_network | 10.10.10 | VPN IP pool /24 prefix |
| asa_ip | 203.0.113.1 | ASA outside IP address |
| agent_id | a1b2c3d4-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Nginx Access & Error Logs
Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.
Apache HTTP Server
Apache httpd access and error logs — page/asset/API requests, bot crawlers (Googlebot, GPTBot), scanner probes, 3xx redirects, and correlated 4xx/5xx error log entries with module context.
Citrix NetScaler Gateway VPN
Citrix ADC / NetScaler Gateway VPN syslog events covering the full SSL VPN session lifecycle — authentication, login/logout, ICA application launches, TCP/UDP connection statistics, HTTP resource access, client security checks, session timeouts, and license limit alerts.