VPN logs streamed to SIEM
Demonstrate that VPN authentication and session logs are continuously streamed to the SIEM platform, enabling centralized monitoring and timely detection of remote access anomalies.
Description
What this control does
This control ensures that all authentication, connection, and session logs generated by Virtual Private Network (VPN) infrastructure are forwarded in real-time or near-real-time to a centralized Security Information and Event Management (SIEM) platform. VPN logs include successful and failed login attempts, source IP addresses, user identities, connection duration, data transfer volumes, and disconnection events. Centralizing these logs enables correlation with other security telemetry, rapid detection of unauthorized access attempts, and forensic investigation of potential breaches originating from remote access channels.
Control objective
What auditing this proves
Demonstrate that VPN authentication and session logs are continuously streamed to the SIEM platform, enabling centralized monitoring and timely detection of remote access anomalies.
Associated risks
Risks this control addresses
- Delayed detection of credential stuffing or brute-force attacks against VPN endpoints due to lack of centralized visibility
- Inability to correlate VPN access events with lateral movement or data exfiltration activity detected on internal systems
- Loss of forensic evidence if VPN appliances are compromised or logs are locally overwritten before collection
- Undetected unauthorized access from high-risk geographies or anomalous source IP addresses not flagged in real-time
- Failure to identify use of compromised or shared credentials across multiple simultaneous VPN sessions
- Non-compliance with regulatory requirements mandating centralized logging and retention of remote access events
- Incomplete incident timelines during breach investigations due to missing or delayed VPN telemetry
Testing procedure
How an auditor verifies this control
- Obtain the current inventory of all VPN concentrators, gateways, and remote access servers in scope for the audit period.
- Review SIEM configuration files or management console settings to identify configured log sources and verify each VPN device is listed as an active forwarder.
- Inspect VPN device configurations (syslog, SNMP, or agent-based forwarding settings) to confirm destination SIEM IP addresses, ports, protocols, and log severity levels.
- Query the SIEM for a sample of recent VPN log entries (authentication success, authentication failure, session start, session end) from each VPN device covering the past 72 hours.
- Compare timestamps between a VPN device's local logs (if accessible) and corresponding SIEM ingestion timestamps to measure log transmission latency.
- Verify that critical event types (failed logins, privilege escalation, policy violations, configuration changes) are included in the forwarded log stream by searching SIEM records.
- Test log continuity by identifying any gaps exceeding acceptable thresholds (e.g., more than 5 minutes) in the SIEM ingestion timeline for each VPN source.
- Review SIEM alerting rules or correlation policies configured to detect anomalous VPN activity (e.g., impossible travel, repeated failures, off-hours access) to confirm log data is operationally utilized.
Where this control is tested