Skip to content

OpenVPN

Overview

OpenVPN is an open-source virtual private network (VPN) software, offering robust encryption, secure connectivity, flexible and reliable remote access to networks for individuals and businesses globally.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Host network interface every packets are logged and information on the outcome, the source/destination are extracted
Web logs OpenVPN provide information about the connected client and the requested resource

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category network
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "2023-10-31 15:09:55 client01,10.8.0.4,",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "client": {
        "address": "client01",
        "domain": "client01",
        "nat": {
            "ip": "10.8.0.4"
        }
    },
    "related": {
        "hosts": [
            "client01"
        ],
        "ip": [
            "10.8.0.4"
        ]
    }
}
{
    "message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: Learn: 10.8.0.6 -> client01/165.225.204.88:59321",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:59Z",
    "client": {
        "address": "client01",
        "domain": "client01",
        "ip": "165.225.204.88",
        "nat": {
            "ip": "10.8.0.6"
        },
        "port": 59321
    },
    "related": {
        "hosts": [
            "client01"
        ],
        "ip": [
            "10.8.0.6",
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:09:59 client01/165.225.204.88:59321 MULTI: primary virtual IP for client01/165.225.204.88:59321: 10.8.0.6",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:59Z",
    "client": {
        "address": "client01",
        "domain": "client01",
        "ip": "165.225.204.88",
        "nat": {
            "ip": "10.8.0.6"
        },
        "port": 59321
    },
    "related": {
        "hosts": [
            "client01"
        ],
        "ip": [
            "10.8.0.6",
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:09:59 165.225.204.88:59321 [client01] Peer Connection Initiated with [AF_INET]165.225.204.88:59321",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:59Z",
    "client": {
        "address": "client01",
        "domain": "client01",
        "ip": "165.225.204.88",
        "port": 59321
    },
    "related": {
        "hosts": [
            "client01"
        ],
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=1, CN=Easy-RSA CA",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "VERIFY OK: depth=1, CN=Easy-RSA CA",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 VERIFY OK: depth=0, CN=client01",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "VERIFY OK: depth=0, CN=client01",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUB=1",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_COMP_STUB=1",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_COMP_STUBv2=1",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_COMP_STUBv2=1",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:10:21 SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "SENT CONTROL [client01]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 1,cipher AES-256-GCM' (status=1)",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:10:21Z"
}
{
    "message": "2023-10-31 15:09:55 Diffie-Hellman initialized with 2048 bit key",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "Diffie-Hellman initialized with 2048 bit key",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:09:55 net_route_v4_best_gw query: dst 0.0.0.0",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "net_route_v4_best_gw query: dst 0.0.0.0",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:09:55 Could not determine IPv4/IPv6 protocol. Using AF_INET",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "Could not determine IPv4/IPv6 protocol. Using AF_INET",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:09:55 Socket Buffers: R=[212992->212992] S=[212992->212992]",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "Socket Buffers: R=[212992->212992] S=[212992->212992]",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:09:55 UDPv4 link local (bound): [AF_INET][undef]:1194",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "UDPv4 link local (bound): [AF_INET][undef]:1194",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:09:55 UDPv4 link remote: [AF_UNSPEC]",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "UDPv4 link remote: [AF_UNSPEC]",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:09:55 MULTI: multi_init called, r=256 v=256",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "MULTI: multi_init called, r=256 v=256",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_VER=2.6.6",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_VER=2.6.6",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:09:55 IFCONFIG POOL IPv4: base=10.8.0.4 size=62",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "IFCONFIG POOL IPv4",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "client": {
        "address": "10.8.0.4",
        "ip": "10.8.0.4"
    },
    "related": {
        "ip": [
            "10.8.0.4"
        ]
    }
}
{
    "message": "2023-10-31 15:09:55 ifconfig_pool_read(), in='client01,10.8.0.4,'",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "ifconfig_pool_read",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "client": {
        "address": "client01",
        "domain": "client01",
        "ip": "10.8.0.4"
    },
    "related": {
        "hosts": [
            "client01"
        ],
        "ip": [
            "10.8.0.4"
        ]
    }
}
{
    "message": "2023-10-31 15:09:55 succeeded -> ifconfig_pool_set(hand=0)",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "succeeded -> ifconfig_pool_set(hand=0)",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:09:55 IFCONFIG POOL LIST",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "IFCONFIG POOL LIST",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z"
}
{
    "message": "2023-10-31 15:12:13 event_wait : Interrupted system call (code=4)",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "event_wait : Interrupted system call (code=4)",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:12:13Z"
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PLAT=linux",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_PLAT=linux",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_TCPNL=1",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_TCPNL=1",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_MTU=1600",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_MTU=1600",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_NCP=2",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_NCP=2",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_PROTO=990",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_PROTO=990",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 peer info: IV_LZO_STUB=1",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "reason": "peer info: IV_LZO_STUB=1",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    }
}
{
    "message": "2023-10-31 15:09:55 ROUTE_GATEWAY 172.31.32.1/255.255.240.0 IFACE=eth0 HWADDR=0e:dd:8a:3b:b1:86",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "observer": {
        "egress": {
            "interface": {
                "name": "eth0"
            }
        },
        "mac": "0e:dd:8a:3b:b1:86"
    }
}
{
    "message": "2023-10-31 15:09:55 net_route_v4_best_gw result: via 172.31.32.1 dev eth0",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "observer": {
        "egress": {
            "interface": {
                "name": "eth0"
            }
        }
    }
}
{
    "message": "2023-10-31 15:11:18 165.225.204.88:62586 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:11:18Z",
    "client": {
        "address": "165.225.204.88",
        "ip": "165.225.204.88",
        "port": 62586
    },
    "related": {
        "ip": [
            "165.225.204.88"
        ]
    },
    "tls": {
        "cipher": "TLS_AES_256_GCM_SHA384",
        "version": "v1.3"
    }
}
{
    "message": "2023-10-31 15:09:55 TUN/TAP device tun0 opened",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "observer": {
        "ingress": {
            "interface": {
                "name": "tun0"
            }
        }
    }
}
{
    "message": "2023-10-31 15:09:55 net_iface_mtu_set: mtu 1500 for tun0",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "observer": {
        "ingress": {
            "interface": {
                "name": "tun0"
            }
        }
    }
}
{
    "message": "2023-10-31 15:09:55 net_iface_up: set tun0 up",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "observer": {
        "ingress": {
            "interface": {
                "name": "tun0"
            }
        }
    }
}
{
    "message": "2023-10-31 15:09:55 net_addr_ptp_v4_add: 10.8.0.1 peer 10.8.0.2 dev tun0",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "observer": {
        "ingress": {
            "interface": {
                "name": "tun0"
            }
        },
        "ip": "10.8.0.1"
    },
    "openvpn": {
        "peer": {
            "ip": "10.8.0.2"
        }
    },
    "related": {
        "ip": [
            "10.8.0.1"
        ]
    }
}
{
    "message": "2023-10-31 15:09:55 net_route_v4_add: 10.8.0.0/24 via 10.8.0.2 dev [NULL] table 0 metric -1",
    "event": {
        "category": [
            "network"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-31T15:09:55Z",
    "openvpn": {
        "peer": {
            "ip": "10.8.0.2"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
client.domain keyword The domain name of the client.
client.ip ip IP address of the client.
client.nat.ip ip Client NAT ip address
client.port long Port of the client.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
observer.egress.interface.name keyword Interface name
observer.ingress.interface.name keyword Interface name
observer.ip ip IP addresses of the observer.
observer.mac keyword MAC addresses of the observer.
openvpn.peer.ip keyword OpenVPN peer IP
tls.cipher keyword String indicating the cipher used during the current connection.
tls.version keyword Numeric part of the version parsed from the original string.

Configure

This setup guide will show you how to forward your OpenVPN logs to Sekoia.io by means of a syslog transport channel.

Prerequisites

  • Have an internal log concentrator (Rsyslog)

Enable Syslog forwarding

  1. Open the OpenVPN server configuration file (commonly found in /etc/openvpn/server.conf) using your preferred text editor.

    Add or modify the following lines:

    verb 3        # Adjust verbosity level if needed
    log-append /var/log/openvpn.log   # Specify the log file path
    log /dev/null  # Disable OpenVPN's built-in logging to file
    

    Here, verb 3 sets the logging verbosity level, log-append specifies the log file path where OpenVPN logs will be written, and log /dev/null ensures that OpenVPN doesn't log to its internal log file.

  2. Ensure that the syslog daemon (e.g., rsyslog or syslog-ng) is properly set up and configured on your system.

    These daemons are responsible for receiving and managing log messages from various services.

    OpenVPN will log its messages to the specified log file (/var/log/openvpn.log in the above example).

    Syslog will be responsible for picking up these messages and handling them according to its configuration.

  3. Syslog Configuration

    Configure the syslog server to send the event to our log concentrator.

    If you are using rsyslog, you might need to create a specific configuration file for OpenVPN to tell the syslog daemon where to send the logs.

    Create a new file, for instance, /etc/rsyslog.d/openvpn.conf, and add the following line:

    :programname, isequal, "openvpn" @<ip of the log concentrator>
    
  4. Restart Services

    Restart the OpenVPN service to apply the changes to the configuration file:

    sudo systemctl restart openvpn
    sudo systemctl restart rsyslog    # Use appropriate command for your syslog daemon
    

Forward logs to Sekoia.io

Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.

Create the intake

Go to the intake page and create a new intake from the format OpenVPN.