vpn-report.pl -- a log monitoring tool for syslog'ed Cisco VPN concentrator logs.
Currently, it's a little rough, but it serves the purpose and is suitable for usage in cron.daily.
It takes its input from STDIN and output looks like:
---
Authentication Failures:
Douglas Shaftoe Logon Failure -- 1 times
Aug 5 16:55:47 - aaa.bbb.ccc.255
Hal Kubrik Account disabled or locked -- 4 times
Aug 5 07:34:26 - xxx.yyy.zzz.254
Aug 5 07:34:29 - xxx.yyy.zzz.254
Aug 5 07:45:06 - xxx.yyy.zzz.254
Aug 5 08:14:41 - xxx.yyy.zzz.254
Logon Failure -- 10 times
Aug 5 07:17:46 - xxx.yyy.zzz.254
Aug 5 07:17:52 - xxx.yyy.zzz.254
Aug 5 07:17:55 - xxx.yyy.zzz.254
Aug 5 07:18:51 - xxx.yyy.zzz.254
Aug 5 07:18:55 - xxx.yyy.zzz.254
Aug 5 08:11:46 - xxx.yyy.zzz.254
Aug 5 08:11:48 - xxx.yyy.zzz.254
Aug 5 08:12:12 - xxx.yyy.zzz.254
Aug 5 08:12:15 - xxx.yyy.zzz.254
Aug 5 08:12:17 - xxx.yyy.zzz.254
---
Authentication Successes:
Hiro Protagonist
1: b_group (Aug 5 09:39:32 - Aug 5 18:59:08, 9:19:37)
ddd.eee.fff.3 <-> 10.0.0.207 15600320 sent, 3511480 received, User Requested
Peter North
1: (yesterday - Aug 5 01:57:45, 10:57:03)
ggg.hhh.iii.54 <-> 71327088 sent, 3167312 received, Lost Service
2: c_group (Aug 5 10:19:07 - Aug 5 20:28:56, 10:09:51)
ggg.hhh.iii.54 <-> 10.0.0.213 3092248 sent, 1167472 received, Lost Service
3: c_group (Aug 5 22:41:15 - ongoing)
ggg.hhh.iii.54 <-> 10.0.0.201
Phoebe Katz
1: a_group (Aug 5 18:03:15 - ongoing)
jjj.kkk.lll.253 <-> 10.0.0.198
It still has a few to-do's. Send requests to howellc at this domain if one of them is a
must-have for you and I'll probably turn it around in a day or two. They are:
- Add support for multiple concentrators
- Add back-calculation of session start for sessions which began on previous day (currently, these begin generically "yesterday")
- Add description of the timeperiod covered to the beginning of the report
- Command-line file specification.