Cisco AnyConnect Traffic Monitor
This Module reports Cisco AnyConnect NVM Flow Logs. It consolidates NVM Flow Logs over a period of time (Data Collection Interval) which all have the same combination of the following fields:
    Source IP address
    Source port number (optional)
    Destination IP address
    Destination port number
    nvzFlowLoggedInUser
    nvzFlowProcessName
    Layer 3 protocol
This information is provided per User (nvzFlowLoggedInUser).
This Module is not packaged with NFO.
Download if for your operating system
Windows (v3 fields): Cisco AnnyConnect Traffic Monitor (md5)

Parameters

Parameter Name
Description
Comments
N - number of reported conversations for each user
The number of top consolidated flows reported for each user
min = 0, max = 100000, default = 50 (0 indicates all flows are reported)
Data Collection Interval, sec
Module logic execution interval
min = 10 sec, max = 600 sec, default = 30 sec
List of known server destination port numbers
List of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one sending more traffic than receiving
e.g. 53, 80, 443
List of subnet to exporter mapping
IPv4 subnets to Exporter IP map to report for NVM Flow Logs
e.g. 67.202.0.0,18,67.202.0.0; 72.44.32.0,24,72.44.32.0
default = null (each user reported as a separate exporter)

Input

Cisco AnyConnect NVM Flow Logs

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20567"
exp_ip
NetFlow exporter IPv4 address
<IPv4 address>
agent_ver
nvzFlowAgentVersion
<string>
protocol
Transport Protocol ( TCP = 6, UDP = 17)
<number>
src_ip
Source IPv4 address
<IPv4 address>
src_ip6
Source IPv6 address
<IPv6 address>
src_port
Source port number
<number>
dest_ip
Destination IPv4 address
<IPv4 address>
dest_ip6
Destination IPv6 address
<IPv6 address>
dest_port
Destination port number
<number>
flow_start
Min flowStartSeconds
<number>
flow_end
Max flowEndSeconds
<number>
flow_start_ms
Min nvzFlowFlowStartMsec
<number>
flow_end_ms
Max nvzFlowFlowEndMsec
<number>
dns_suffix
nvzFlowDNSSuffix
<string>
user
nvzFlowLoggedInUser
<string>
user_acc_type
nvzFlowLoggedInUserAccountType
<number>
account
nvzFlowProcessAccount
<string>
process_id
nvzFlowProcessId
<number>
process
nvzFlowProcessName
<string>
process_path
nvzFlowProcessPath
<string>
process_args
nvzFlowProcessArgs
<string>
p_account
nvzFlowParentProcessAccount
<string>
p_process
nvzFlowParentProcessName
<string>
p_process_path
nvzFlowParentProcessPath
<string>
p_process_args
nvzFlowParentProcessArgs
<string>
bytes_in
Layer 3 bytes of ingress flows
<number>
bytes_out
Layer 3 bytes of egress flows
<number>
dest_host
nvzFlowDestinationHostname
<string>
if_index
nvzFlowInterfaceIndex
<number>
if_type
nvzFlowInterfaceType (decoded to string)
<string>
if_name
nvzFlowInterfaceName
<string>
if_mac
nvzFlowInterfaceMacAddress
<string>
ep_os_name
nvzFlowOSName
<string>
ep_os_ver
nvzFlowOSVersion
<string>
ep_os_ed
nvzFlowOSEdition
<string>
ep_sys_man
nvzFlowSystemManufacturer
<string>
ep_sys_type
nvzFlowSystemType
<string>
flow_count
Number of consolidated flows
<number>
percent_of_total
Percent of Total (bytes)
<decimal>, e.g. 25.444% is 25.444
t_int
Observation time interval, msec
<number>
Last modified 11mo ago