Monitoring onpremises vpn activity

Occasional Contributor

Hi there,

I have an onpremises always on vpn solution provided by WS2019 RRAS and WS2019 NPS. Both user and device tunnel are available through the same machine.

My users authenticates by username/password for user tunnel and machine certificate for device tunnel.

User tunnel also have Azure MFA provided by NPS Extension.

 

Right now, I need to analyze NPS Accounting log files and RRAS Local Event Viewer in order to provide a complete report of vpn usage.

There is a way to collect these informations somewhere in Azure to create a global report for any user or device authentication event? I need to monitor connection-disconnection events as well.

 

Many thanks!

FF

5 Replies

@FrancescoFacco

 

If you know the name of the Event log from Event Viewer, then add it into here "enter the name of an eventlog to monitor" field.

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events 

 

Assuming the server has the MMA on it (Windows Agent), then you will see entries flowing into the Events table (after a while) - if not please add the agent https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

@CliveWatson  thanks for your info, I'll try this solutions asap.

 

What about reporting? I know I'll be able to work in some ways with collected data. There is any pre-configured report generator (such as pdf or html) I can use to send scheduled report to management?

 

Have any suggestion on documentation I can refer to?

 

Many thanks!

@FrancescoFacco 

 

Typically with Log Analytics there are two or three choices:

 

1. Give the manager Log Analytics read access, and the queries to run, probably not the best idea

2. Create a Azure Monitor Workbook - share that with Management and they can refresh that whenever they wish (they will need query access, but allows them to get the data when required in a nice format)

3. Use a Scheduled Logic App.

   - Is use this a lot, set the Recurrence to once a week or whatever is required.

   - Run the Query

  - Send them an Email 

 

Advantage is they need no access, but there isn't an ad-hoc option

 

Logi App Send Email.jpg

 

This is my one I use each week, it starts at midnight on Friday and emails two graphs to me

 

Logic App - send Perf report.jpg

 

 

 

@CliveWatson 

Looks great!

I'll try it certainly.

 

Thank you.

oh's