4 Replies Latest reply on Feb 4, 2013 3:48 AM by japie

    Juniper VPN Displaying Concurrent Users Logged On

    japie

      Hi Guys

       

      I am new with Mcafee Nitro SIEM, so hope someone could possibly direct me in the right direction here, we are creating a custom  Dashboard for Juniper VPN and one of the objectives is to display Concurrent users logged in at anytime and to track usage to monitor the  licenses we have and load on the devices.

       

      I have played around with this but can't seem to figure out how to display the correct number of users, please see below event from the drill down:

       

      <134>Juniper: 2013-01-29 08:00:07 System()[] - Number of concurrent users logged in to the device: 229

       

      When I set up a usuage display and filter on this spesific signature ID it SUM's the event count from what I understand, but essentially  I just want to grep that number and display it, and also include in monthly usage report, has anyone done something similiar?

       

      Thanks

      J

        • 1. Re: Juniper VPN Displaying Concurrent Users Logged On

          Hi japie,

           

          The REC collects the events from the Juniper device and then reports them up to the ESM. In the ESM view it will display those events.

           

          You can create a new view and drag down a bar chart > then you could select either source user or summary and click next. from there you could add the signature ID in the filter and it would show either the Source Users or total number of that event we have collected.

           

           

          Image 004 01-31-2013.jpg

          • 2. Re: Juniper VPN Displaying Concurrent Users Logged On
            japie

            Hi Aaron

             

            Thanks for your response but I can't get the Bar display to show me the correct concurrent users, the reason being it counts events as I have indicated above if you look at the PACKET information the number is at the end (bold) below

             

            <134>Juniper: 2013-02-01 08:00:58 System()[] - Number of concurrent users logged in to the device: 251

             

            It reports 8 events for the users logged in, but rather writes an event with this string in it and the value of concurrent users logged in is 251

             

            If I follow your suggestion it will only count events written and still not adding up to concurrent users.

             

            the only way I managed to get it working is using the Dial with the below options

             

            COUNT (DISTINCT Source User)

            Filter - Device Type & Device ID

             

            I have attached a screenshot doing it your method it only counts the events generated which is 9 where actually there is  532  users logged in now

            Please see below:

            4>Juniper: 2013-02-01 09:00:22  [IP] System()[] - Number of concurrent users logged in to the device: 532

            ConcurrentUsersSummary.JPG

            I still need direction please on how to display this on a Bar

            • 3. Re: Juniper VPN Displaying Concurrent Users Logged On

              So the bar chart will only display the total number of packets we have received for that specific event (so we have recieved that Concurrent Users 9 times). That section in the packet doesnt look like it is parsed out into a field. What you would need to do is save that packet and log a PER for this field to be parsed out so you can report on it.

               

              You can log your PER here:

              McAfee ProductEnhancement Requests: https://mcafee.acceptondemand.com/index.jsp

              • 4. Re: Juniper VPN Displaying Concurrent Users Logged On
                japie

                Thanks for your response Aaron, I will complete the PER and provide feedback on the progress.

                 

                Tx

                Japie