VPN Gateway Logs

NetworkAuthentication & AccessNetwork CaptureSIEM / Log Aggregator

Location

VPN concentrator logs (Cisco AnyConnect, Palo Alto GlobalProtect, OpenVPN, WireGuard)

Description

VPN authentication and session logs recording user identity, source IP, connection duration, assigned internal IP, bytes transferred, and authentication method (certificate, MFA, password).

Forensic Value

VPN logs are critical for identifying initial access via stolen VPN credentials, which is a top attack vector for ransomware operators. Concurrent VPN sessions from the same account but different source IPs confirm credential compromise. Sessions from residential proxy or VPS IP ranges (not matching the user typical ISP) indicate attacker access. The assigned internal IP links VPN access to subsequent internal activity in firewall and endpoint logs.

Tools Required

SIEM (Splunk, Elastic)VPN management consolegrepGeoIP lookup tools

Collection Commands

Splunk

index=vpn sourcetype=vpn_logs earliest=-30d | stats count, values(src_ip), dc(src_ip) by user | where dc(src_ip) > 3 | sort -dc(src_ip)

Cisco ASA

show vpn-sessiondb anyconnect | include Username|Login Time|Duration|Public IP | more

OpenVPN

cat /var/log/openvpn/status.log && grep "VERIFY OK\|VERIFY ERROR\|client-connect\|client-disconnect" /var/log/openvpn/openvpn.log > vpn_auth_events.txt

MITRE ATT&CK Techniques

T1133T1078T1110T1078.001T1021.001

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical