Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Monitoring Remote VPN Login Failures via Log Analyzer

Hello All,

Recently we faced an issue related to remote VPN user login failures, and we are trying to improve monitoring for this scenario.

I have configured an alert in SolarWinds Log Analyzer using the following log condition:

err apmd[5787]: 0149020a:3: /Common/ADFS-SP.app/ADFS-SP:Common:b6ecb817:SAML Agent: /Common/ADFS-SP.app/ADFS-SP_saml_auth_agSAML assertion is invalid, error: Invalid Session,possible use of different host names to access SAML SP

This appears to be related to a SAML authentication failure during VPN login.

I would like to confirm:

Is this the correct log pattern to monitor remote VPN login failures?
Has anyone implemented a better filtering or alerting method for similar SAML authentication errors?
Are there recommended best practices for monitoring VPN authentication failures in Log Analyzer?

Any suggestions or experiences would be greatly appreciated.

Thank you.

Find more posts tagged with

alert custom properties

network_monitoring

f5 big ip

Alerts

alerlog

Comments

Lofstrand

Hi @abadshahc

Different vendors show VPN login failures in different ways. And different cause of issues might be logged in different ways.

So I you have issues from time to time, that give you above error - then it could be a good way of doing it. I would probably use only a part of that string, like

SAML Agent: /Common/ADFS-SP.app/ADFS-SP_saml_auth_agSAML assertion is invalid, error:

and potentially add some conditions, like source have to be the VPN devices.

But if this works in your environment, then good :-)

Quick Links

Cisco ASR Devices
Cisco ASR Devices.pollerCisco ASR Devices
Basic SWQL Syntax
SWQL is built on the framework of SQL and as such supports most of the standard clauses as part of a query. A very simple example query is: SELECT Caption, IPAddress, Vendor, ResponseTime FROM Orion.Nodes Dissecting this query is relatively straightforward: show some fields (Caption, IP address, Vendor, and Response Time)…
Cisco ASA SSL Tunnels
Active SSL Tunnels-ASA.UnDPThis poller *should* display the number of Active SSL VPN (Anyconnect) Tunnels currently connected to your box. However, I tried it with my 5520 running 8.0.4 and for some reason I get a OID Not Supported. Here's my post in the forum: *EDIT* This is confirmed working with at least Interm release…
HP ProCurve Switches Hardening check
HP ProCurve Switches Hardening check.xmlGeneral hardening for HP switches