OpenVPN
Overview
OpenVPN is an open-source virtual private network (VPN) software, offering robust encryption, secure connectivity, flexible and reliable remote access to networks for individuals and businesses globally.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Host network interface |
every packets are logged and information on the outcome, the source/destination are extracted |
Web logs |
OpenVPN provide information about the connected client and the requested resource |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | authentication, network |
| Type | info, start |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "2023-10-31 15:09:55 client01,10.8.0.4,",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"client": {
"address": "client01",
"domain": "client01",
"nat": {
"ip": "10.8.0.4"
}
},
"related": {
"hosts": [
"client01"
],
"ip": [
"10.8.0.4"
]
}
}
{
"message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: Learn: 10.8.0.6 -> client01/165.225.204.88:59321",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:59Z",
"client": {
"address": "client01",
"domain": "client01",
"ip": "165.225.204.88",
"nat": {
"ip": "10.8.0.6"
},
"port": 59321
},
"related": {
"hosts": [
"client01"
],
"ip": [
"10.8.0.6",
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: primary virtual IP for client01/165.225.204.88:59321: 10.8.0.6",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:59Z",
"client": {
"address": "client01",
"domain": "client01",
"ip": "165.225.204.88",
"nat": {
"ip": "10.8.0.6"
},
"port": 59321
},
"related": {
"hosts": [
"client01"
],
"ip": [
"10.8.0.6",
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:09:59 165.225.204.88:59321 [client01] Peer Connection Initiated with [AF_INET]165.225.204.88:59321",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:59Z",
"client": {
"address": "client01",
"domain": "client01",
"ip": "165.225.204.88",
"port": 59321
},
"related": {
"hosts": [
"client01"
],
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=1, CN=Easy-RSA CA",
"event": {
"category": [
"network"
],
"reason": "VERIFY OK: depth=1, CN=Easy-RSA CA",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=0, CN=client01",
"event": {
"category": [
"network"
],
"reason": "VERIFY OK: depth=0, CN=client01",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUB=1",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_COMP_STUB=1",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUBv2=1",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_COMP_STUBv2=1",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:10:21 SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)",
"event": {
"category": [
"network"
],
"reason": "SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:10:21Z"
}
{
"message": "2023-10-31 15:09:55 Diffie-Hellman initialized with 2048 bit key",
"event": {
"category": [
"network"
],
"reason": "Diffie-Hellman initialized with 2048 bit key",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 net_route_v4_best_gw query: dst 0.0.0.0",
"event": {
"category": [
"network"
],
"reason": "net_route_v4_best_gw query: dst 0.0.0.0",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 Could not determine IPv4/IPv6 protocol. Using AF_INET",
"event": {
"category": [
"network"
],
"reason": "Could not determine IPv4/IPv6 protocol. Using AF_INET",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 Socket Buffers: R=[212992->212992] S=[212992->212992]",
"event": {
"category": [
"network"
],
"reason": "Socket Buffers: R=[212992->212992] S=[212992->212992]",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 UDPv4 link local (bound): [AF_INET][undef]:1194",
"event": {
"category": [
"network"
],
"reason": "UDPv4 link local (bound): [AF_INET][undef]:1194",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 UDPv4 link remote: [AF_UNSPEC]",
"event": {
"category": [
"network"
],
"reason": "UDPv4 link remote: [AF_UNSPEC]",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 MULTI: multi_init called, r=256 v=256",
"event": {
"category": [
"network"
],
"reason": "MULTI: multi_init called, r=256 v=256",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_VER=2.6.6",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_VER=2.6.6",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:09:55 IFCONFIG POOL IPv4: base=10.8.0.4 size=62",
"event": {
"category": [
"network"
],
"reason": "IFCONFIG POOL IPv4",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"client": {
"address": "10.8.0.4",
"ip": "10.8.0.4"
},
"related": {
"ip": [
"10.8.0.4"
]
}
}
{
"message": "2023-10-31 15:09:55 ifconfig_pool_read(), in='client01,10.8.0.4,'",
"event": {
"category": [
"network"
],
"reason": "ifconfig_pool_read",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"client": {
"address": "client01",
"domain": "client01",
"ip": "10.8.0.4"
},
"related": {
"hosts": [
"client01"
],
"ip": [
"10.8.0.4"
]
}
}
{
"message": "2023-10-31 15:09:55 succeeded -> ifconfig_pool_set(hand=0)",
"event": {
"category": [
"network"
],
"reason": "succeeded -> ifconfig_pool_set(hand=0)",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 IFCONFIG POOL LIST",
"event": {
"category": [
"network"
],
"reason": "IFCONFIG POOL LIST",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:12:13 event_wait : Interrupted system call (code=4)",
"event": {
"category": [
"network"
],
"reason": "event_wait : Interrupted system call (code=4)",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:12:13Z"
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PLAT=linux",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_PLAT=linux",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_TCPNL=1",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_TCPNL=1",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_MTU=1600",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_MTU=1600",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_NCP=2",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_NCP=2",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PROTO=990",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_PROTO=990",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_LZO_STUB=1",
"event": {
"category": [
"network"
],
"reason": "peer info: IV_LZO_STUB=1",
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
}
}
{
"message": "2023-10-31 15:09:55 ROUTE_GATEWAY 172.31.32.1/255.255.240.0 IFACE=eth0 HWADDR=0e:dd:8a:3b:b1:86",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"observer": {
"egress": {
"interface": {
"name": "eth0"
}
},
"mac": "0e:dd:8a:3b:b1:86"
}
}
{
"message": "2023-10-31 15:09:55 net_route_v4_best_gw result: via 172.31.32.1 dev eth0",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"observer": {
"egress": {
"interface": {
"name": "eth0"
}
}
}
}
{
"message": "Incorrect password supplied for LDAP DN \"CN=DOE john,OU=users,DC=example,DC=org\".",
"event": {
"category": [
"authentication"
],
"outcome": "failure",
"type": [
"start"
]
},
"related": {
"user": [
"DOE john"
]
},
"user": {
"domain": "example.org",
"name": "DOE john"
}
}
{
"message": "2023-10-31 15:09:55 LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 52e, v3839)",
"event": {
"category": [
"authentication"
],
"outcome": "failure",
"type": [
"start"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "2023-10-31 15:09:55 ldap_bind with zero-length password is forbidden.",
"event": {
"category": [
"authentication"
],
"outcome": "failure",
"type": [
"start"
]
},
"@timestamp": "2023-10-31T15:09:55Z"
}
{
"message": "LDAP user \"xxxxxxx\" was not found.",
"event": {
"category": [
"authentication"
],
"outcome": "failure",
"type": [
"start"
]
},
"related": {
"user": [
"xxxxxxx"
]
},
"user": {
"name": "xxxxxxx"
}
}
{
"message": "Unable to bind as XXX",
"event": {
"category": [
"authentication"
],
"outcome": "failure",
"type": [
"start"
]
},
"related": {
"user": [
"XXX"
]
},
"user": {
"name": "XXX"
}
}
{
"message": "2023-10-31 15:11:18 165.225.204.88:62586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:11:18Z",
"client": {
"address": "165.225.204.88",
"ip": "165.225.204.88",
"port": 62586
},
"related": {
"ip": [
"165.225.204.88"
]
},
"tls": {
"cipher": "TLS_AES_256_GCM_SHA384",
"version": "v1.3"
}
}
{
"message": "2023-10-31 15:09:55 TUN/TAP device tun0 opened",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"observer": {
"ingress": {
"interface": {
"name": "tun0"
}
}
}
}
{
"message": "2023-10-31 15:09:55 net_iface_mtu_set: mtu 1500 for tun0",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"observer": {
"ingress": {
"interface": {
"name": "tun0"
}
}
}
}
{
"message": "2023-10-31 15:09:55 net_iface_up: set tun0 up",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"observer": {
"ingress": {
"interface": {
"name": "tun0"
}
}
}
}
{
"message": "2023-10-31 15:09:55 net_addr_ptp_v4_add: 10.8.0.1 peer 10.8.0.2 dev tun0",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"observer": {
"ingress": {
"interface": {
"name": "tun0"
}
},
"ip": "10.8.0.1"
},
"openvpn": {
"peer": {
"ip": "10.8.0.2"
}
},
"related": {
"ip": [
"10.8.0.1"
]
}
}
{
"message": "2023-10-31 15:09:55 net_route_v4_add: 10.8.0.0/24 via 10.8.0.2 dev [NULL] table 0 metric -1",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"@timestamp": "2023-10-31T15:09:55Z",
"openvpn": {
"peer": {
"ip": "10.8.0.2"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
client.domain |
keyword |
The domain name of the client. |
client.ip |
ip |
IP address of the client. |
client.nat.ip |
ip |
Client NAT ip address |
client.port |
long |
Port of the client. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
observer.egress.interface.name |
keyword |
Interface name |
observer.ingress.interface.name |
keyword |
Interface name |
observer.ip |
ip |
IP addresses of the observer. |
observer.mac |
keyword |
MAC addresses of the observer. |
openvpn.peer.ip |
keyword |
OpenVPN peer IP |
tls.cipher |
keyword |
String indicating the cipher used during the current connection. |
tls.version |
keyword |
Numeric part of the version parsed from the original string. |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
Configure
This setup guide will show you how to forward your OpenVPN logs to Sekoia.io by means of a syslog transport channel.
Prerequisites
- Have an internal log concentrator (Rsyslog)
Enable Syslog forwarding
-
Open the OpenVPN server configuration file (commonly found in
/etc/openvpn/server.conf) using your preferred text editor.Add or modify the following lines:
verb 3 # Adjust verbosity level if needed log-append /var/log/openvpn.log # Specify the log file path log /dev/null # Disable OpenVPN's built-in logging to fileHere,
verb 3sets the logging verbosity level,log-appendspecifies the log file path where OpenVPN logs will be written, andlog /dev/nullensures that OpenVPN doesn't log to its internal log file. -
Ensure that the syslog daemon (e.g., rsyslog or syslog-ng) is properly set up and configured on your system.
These daemons are responsible for receiving and managing log messages from various services.
OpenVPN will log its messages to the specified log file (
/var/log/openvpn.login the above example).Syslog will be responsible for picking up these messages and handling them according to its configuration.
-
Syslog Configuration
Configure the syslog server to send the event to our log concentrator.
If you are using rsyslog, you might need to create a specific configuration file for OpenVPN to tell the syslog daemon where to send the logs.
Create a new file, for instance,
/etc/rsyslog.d/openvpn.conf, and add the following line::programname, isequal, "openvpn" @<ip of the log concentrator> -
Restart Services
Restart the OpenVPN service to apply the changes to the configuration file:
sudo systemctl restart openvpn sudo systemctl restart rsyslog # Use appropriate command for your syslog daemon
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.
Create the intake
Go to the intake page and create a new intake from the format OpenVPN.