Cisco AnyConnect Traffic Monitor
This Module reports Cisco AnyConnect NVM Flow Logs. It consolidates NVM Flow Logs over a period of time (Data Collection Interval) which all have the same combination of the following fields:
- Source IP address
- Source port number (optional)
- Destination IP address
- Destination port number
- nvzFlowLoggedInUser
- nvzFlowProcessName
- Layer 3 protocol
This information is provided per User (nvzFlowLoggedInUser).
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| N - number of reported conversations for each user | The number of top consolidated flows reported for each user | min = 0, max = 100000, default = 50 (0 indicates all flows are reported) |
| Data Collection Interval, sec | Module logic execution interval | min = 10 sec, max = 600 sec, default = 30 sec |
| List of known server destination port numbers | List of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one with a smaller port number | e.g. 53, 80, 443 |
| List of subnet to exporter mapping | IPv4 subnets to Exporter IP map to report for NVM Flow Logs | e.g. 67.202.0.0,18,67.202.0.0; 72.44.32.0,24,72.44.32.0; default = null (each user reported as a separate exporter) |
Input
Cisco AnyConnect NVM Flow Logs
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20567" |
| exp_ip | NetFlow exporter IPv4 address | <IPv4 address> |
| agent_ver | nvzFlowAgentVersion | <string> |
| protocol | Transport Protocol (TCP = 6, UDP = 17) | <number> |
| src_ip | Source IPv4 address | <IPv4 address> |
| src_ip6 | Source IPv6 address | <IPv6 address> |
| src_port | Source port number | <number> |
| dest_ip | Destination IPv4 address | <IPv4 address> |
| dest_ip6 | Destination IPv6 address | <IPv6 address> |
| dest_port | Destination port number | <number> |
| flow_start | Min flowStartSeconds | <number> |
| flow_end | Max flowEndSeconds | <number> |
| flow_start_ms | Min nvzFlowFlowStartMsec | <number> |
| flow_end_ms | Max nvzFlowFlowEndMsec | <number> |
| dns_suffix | nvzFlowDNSSuffix | <string> |
| user | nvzFlowLoggedInUser | <string> |
| user_acc_type | nvzFlowLoggedInUserAccountType | <number> |
| account | nvzFlowProcessAccount | <string> |
| process_id | nvzFlowProcessId | <number> |
| process | nvzFlowProcessName | <string> |
| process_path | nvzFlowProcessPath | <string> |
| process_args | nvzFlowProcessArgs | <string> |
| p_account | nvzFlowParentProcessAccount | <string> |
| p_process | nvzFlowParentProcessName | <string> |
| p_process_path | nvzFlowParentProcessPath | <string> |
| p_process_args | nvzFlowParentProcessArgs | <string> |
| bytes_in | Layer 3 bytes of ingress flows | <number> |
| bytes_out | Layer 3 bytes of egress flows | <number> |
| dest_host | nvzFlowDestinationHostname | <string> |
| if_index | nvzFlowInterfaceIndex | <number> |
| if_type | nvzFlowInterfaceType (decoded to string) | <string> |
| if_name | nvzFlowInterfaceName | <string> |
| if_mac | nvzFlowInterfaceMacAddress | <string> |
| ep_os_name | nvzFlowOSName | <string> |
| ep_os_ver | nvzFlowOSVersion | <string> |
| ep_os_ed | nvzFlowOSEdition | <string> |
| ep_sys_man | nvzFlowSystemManufacturer | <string> |
| ep_sys_type | nvzFlowSystemType | <string> |
| flow_count | Number of consolidated flows | <number> |
| percent_of_total | Percent of Total (bytes) | <decimal>, e.g. 25.444% is 25.444 |
| t_int | Observation time interval, msec | <number> |