Monitoring onpremises vpn activity

%3CLINGO-SUB%20id%3D%22lingo-sub-1364218%22%20slang%3D%22en-US%22%3EMonitoring%20onpremises%20vpn%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364218%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3EI%20have%20an%20onpremises%20always%20on%20vpn%20solution%20provided%20by%20WS2019%20RRAS%20and%20WS2019%20NPS.%20Both%20user%20and%20device%20tunnel%20are%20available%20through%20the%20same%20machine.%3C%2FP%3E%3CP%3EMy%20users%20authenticates%20by%20username%2Fpassword%20for%20user%20tunnel%20and%20machine%20certificate%20for%20device%20tunnel.%3C%2FP%3E%3CP%3EUser%20tunnel%20also%20have%20Azure%20MFA%20provided%20by%20NPS%20Extension.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%2C%20I%20need%20to%20analyze%20NPS%20Accounting%20log%20files%20and%20RRAS%20Local%20Event%20Viewer%20in%20order%20to%20provide%20a%20complete%20report%20of%20vpn%20usage.%3C%2FP%3E%3CP%3EThere%20is%20a%20way%20to%20collect%20these%20informations%20somewhere%20in%20Azure%20to%20create%20a%20global%20report%20for%20any%20user%20or%20device%20authentication%20event%3F%20I%20need%20to%20monitor%20connection-disconnection%20events%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3CP%3EFF%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1364218%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364844%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20onpremises%20vpn%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364844%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F657997%22%20target%3D%22_blank%22%3E%40FrancescoFacco%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20know%20the%20name%20of%20the%20Event%20log%20from%20Event%20Viewer%2C%20then%20add%20it%20into%20here%20%22enter%20the%20name%20of%20an%20eventlog%20to%20monitor%22%20field.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-windows-events%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAssuming%20the%20server%20has%20the%20MMA%20on%20it%20(Windows%20Agent)%2C%20then%20you%20will%20see%20entries%20flowing%20into%20the%20%3CSTRONG%3EEvents%3C%2FSTRONG%3E%20table%20(after%20a%20while)%20-%20if%20not%20please%20add%20the%20agent%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fagent-windows%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1367839%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20onpremises%20vpn%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1367839%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%20thanks%20for%20your%20info%2C%20I'll%20try%20this%20solutions%20asap.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20about%20reporting%3F%20I%20know%20I'll%20be%20able%20to%20work%20in%20some%20ways%20with%20collected%20data.%20There%20is%20any%20pre-configured%20report%20generator%20(such%20as%20pdf%20or%20html)%20I%20can%20use%20to%20send%20scheduled%20report%20to%20management%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20any%20suggestion%20on%20documentation%20I%20can%20refer%20to%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1368880%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20onpremises%20vpn%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1368880%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F657997%22%20target%3D%22_blank%22%3E%40FrancescoFacco%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETypically%20with%20Log%20Analytics%20there%20are%20two%20or%20three%20choices%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Give%20the%20manager%20Log%20Analytics%20read%20access%2C%20and%20the%20queries%20to%20run%2C%20probably%20not%20the%20best%20idea%3C%2FP%3E%0A%3CP%3E2.%20Create%20a%20Azure%20Monitor%20Workbook%20-%20share%20that%20with%20Management%20and%20they%20can%20refresh%20that%20whenever%20they%20wish%20(they%20will%20need%20query%20access%2C%20but%20allows%20them%20to%20get%20the%20data%20when%20required%20in%20a%20nice%20format)%3C%2FP%3E%0A%3CP%3E3.%20Use%20a%20Scheduled%20Logic%20App.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B-%20Is%20use%20this%20a%20lot%2C%20set%20the%20%3CSTRONG%3ERecurrence%3C%2FSTRONG%3E%20to%20once%20a%20week%20or%20whatever%20is%20required.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B-%20Run%20the%20Query%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20-%20Send%20them%20an%20Email%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdvantage%20is%20they%20need%20no%20access%2C%20but%20there%20isn't%20an%20ad-hoc%20option%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Logi%20App%20Send%20Email.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189707i3A7A854C6BD26AFF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Logi%20App%20Send%20Email.jpg%22%20alt%3D%22Logi%20App%20Send%20Email.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20my%20one%20I%20use%20each%20week%2C%20it%20starts%20at%20midnight%20on%20Friday%20and%20emails%20two%20graphs%20to%20me%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Logic%20App%20-%20send%20Perf%20report.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F189708iFF80B7C63867E0F2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Logic%20App%20-%20send%20Perf%20report.jpg%22%20alt%3D%22Logic%20App%20-%20send%20Perf%20report.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371885%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20onpremises%20vpn%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooks%20great!%3C%2FP%3E%3CP%3EI'll%20try%20it%20certainly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1372458%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20onpremises%20vpn%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1372458%22%20slang%3D%22en-US%22%3Eoh's%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi there,

I have an onpremises always on vpn solution provided by WS2019 RRAS and WS2019 NPS. Both user and device tunnel are available through the same machine.

My users authenticates by username/password for user tunnel and machine certificate for device tunnel.

User tunnel also have Azure MFA provided by NPS Extension.

 

Right now, I need to analyze NPS Accounting log files and RRAS Local Event Viewer in order to provide a complete report of vpn usage.

There is a way to collect these informations somewhere in Azure to create a global report for any user or device authentication event? I need to monitor connection-disconnection events as well.

 

Many thanks!

FF

5 Replies

@FrancescoFacco

 

If you know the name of the Event log from Event Viewer, then add it into here "enter the name of an eventlog to monitor" field.

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events 

 

Assuming the server has the MMA on it (Windows Agent), then you will see entries flowing into the Events table (after a while) - if not please add the agent https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

@Clive Watson  thanks for your info, I'll try this solutions asap.

 

What about reporting? I know I'll be able to work in some ways with collected data. There is any pre-configured report generator (such as pdf or html) I can use to send scheduled report to management?

 

Have any suggestion on documentation I can refer to?

 

Many thanks!

@FrancescoFacco 

 

Typically with Log Analytics there are two or three choices:

 

1. Give the manager Log Analytics read access, and the queries to run, probably not the best idea

2. Create a Azure Monitor Workbook - share that with Management and they can refresh that whenever they wish (they will need query access, but allows them to get the data when required in a nice format)

3. Use a Scheduled Logic App.

   - Is use this a lot, set the Recurrence to once a week or whatever is required.

   - Run the Query

  - Send them an Email 

 

Advantage is they need no access, but there isn't an ad-hoc option

 

Logi App Send Email.jpg

 

This is my one I use each week, it starts at midnight on Friday and emails two graphs to me

 

Logic App - send Perf report.jpg

 

 

 

@Clive Watson 

Looks great!

I'll try it certainly.

 

Thank you.

oh's