Cisco AnyConnect Integration
Overview
Cisco AnyConnect provides enterprise VPN remote access with posture assessment. KYRA MDR collects AnyConnect session logs from the ASA/FTD headend. Supports AnyConnect 4.x with ASA 9.x or FTD 6.x/7.x.
Prerequisites
- A KYRA MDR Collector installed and running
- Cisco ASA or FTD configured as AnyConnect headend
- Syslog configured on the ASA/FTD
- AnyConnect VPN configured and operational
Configuration
AnyConnect events are forwarded through ASA/FTD syslog:
- Ensure syslog is configured on the ASA (see Cisco ASA integration)
- Enable VPN-specific syslog messages:
logging class vpn trap informationallogging class vpnfo trap informationallogging class ssl trap informationallogging class auth trap informational- Enable session logging:
logging message 722051 level informationallogging message 722022 level informationallogging message 722023 level informationallogging message 113019 level informational- Write the configuration:
write memory
Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Session Start | VPN session establishment (722051) | Access monitoring |
| Session End | VPN session termination (722023) | Session tracking |
| Authentication | User authentication events (113019) | Credential monitoring |
| Group Policy | Group policy assignment (722028) | Access control verification |
| Posture | Endpoint posture assessment results | Compliance enforcement |
| DAP | Dynamic Access Policy evaluation | Adaptive access control |
Troubleshooting
No VPN syslog: Ensure vpn and auth logging classes are enabled.
Missing session details: Enable specific message IDs (722051, 722022, 722023).
Certificate auth: Enable SSL logging class for certificate validation events.
Contact kyra@seekerslab.com for support.