Skip to main content
Version: 2.10.1

Cisco AnyConnect Traffic Monitor

This Module reports Cisco AnyConnect NVM Flow Logs. It consolidates NVM Flow Logs over a period of time (Data Collection Interval) which all have the same combination of the following fields:

  • Source IP address
  • Source port number (optional)
  • Destination IP address
  • Destination port number
  • nvzFlowLoggedInUser
  • nvzFlowProcessName
  • Layer 3 protocol

This information is provided per User (nvzFlowLoggedInUser).

Parameters

Parameter NameDescriptionComments
N - number of reported conversations for each userThe number of top consolidated flows reported for each usermin = 0, max = 100000, default = 50 (0 indicates all flows are reported)
Data Collection Interval, secModule logic execution intervalmin = 10 sec, max = 600 sec, default = 30 sec
List of known server destination port numbersList of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one with a smaller port numbere.g. 53, 80, 443
List of subnet to exporter mappingIPv4 subnets to Exporter IP map to report for NVM Flow Logse.g. 67.202.0.0,18,67.202.0.0; 72.44.32.0,24,72.44.32.0; default = null (each user reported as a separate exporter)

Input

Cisco AnyConnect NVM Flow Logs

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20567"
exp_ipNetFlow exporter IPv4 address<IPv4 address>
agent_vernvzFlowAgentVersion<string>
protocolTransport Protocol (TCP = 6, UDP = 17)<number>
src_ipSource IPv4 address<IPv4 address>
src_ip6Source IPv6 address<IPv6 address>
src_portSource port number<number>
dest_ipDestination IPv4 address<IPv4 address>
dest_ip6Destination IPv6 address<IPv6 address>
dest_portDestination port number<number>
flow_startMin flowStartSeconds<number>
flow_endMax flowEndSeconds<number>
flow_start_msMin nvzFlowFlowStartMsec<number>
flow_end_msMax nvzFlowFlowEndMsec<number>
dns_suffixnvzFlowDNSSuffix<string>
usernvzFlowLoggedInUser<string>
user_acc_typenvzFlowLoggedInUserAccountType<number>
accountnvzFlowProcessAccount<string>
process_idnvzFlowProcessId<number>
processnvzFlowProcessName<string>
process_pathnvzFlowProcessPath<string>
process_argsnvzFlowProcessArgs<string>
p_accountnvzFlowParentProcessAccount<string>
p_processnvzFlowParentProcessName<string>
p_process_pathnvzFlowParentProcessPath<string>
p_process_argsnvzFlowParentProcessArgs<string>
bytes_inLayer 3 bytes of ingress flows<number>
bytes_outLayer 3 bytes of egress flows<number>
dest_hostnvzFlowDestinationHostname<string>
if_indexnvzFlowInterfaceIndex<number>
if_typenvzFlowInterfaceType (decoded to string)<string>
if_namenvzFlowInterfaceName<string>
if_macnvzFlowInterfaceMacAddress<string>
ep_os_namenvzFlowOSName<string>
ep_os_vernvzFlowOSVersion<string>
ep_os_ednvzFlowOSEdition<string>
ep_sys_mannvzFlowSystemManufacturer<string>
ep_sys_typenvzFlowSystemType<string>
flow_countNumber of consolidated flows<number>
percent_of_totalPercent of Total (bytes)<decimal>, e.g. 25.444% is 25.444
t_intObservation time interval, msec<number>