Skip to main content


Splunk Lantern

Virtual private network data


Virtual private networks (VPNs) are a way of building a secure extension of a private network over an insecure, public one. VPNs can be established either between networks, routing all traffic between two sites, or between a client device and a network. Network-to-network VPNs typically are created using strong credentials such as certificates on each end of the connection. Client-to-network VPNs rely on user authentication, which can be as simple as a username and password. VPNs use network tunneling protocols such as IPSec, OpenVPN plus SSL or L2TP with cryptographically strong algorithms to scramble information in transit and ensure end-to-end data integrity.

VPN logs help analyze users coming onto the network. This information can be used in a number of ways, including situational awareness, monitoring foreign IP subnets, and compliance monitoring of browsers and applications of connected hosts. Connection logs are generated by the majority of VPN devices and services. Information included in these logs reflects activity such as login/logout, dates, times, remote IP addresses, and user login names. Usage logs provide activity data that includes online browsing history and activity that reflects a user's navigation and access of network resources during the session. In the Common Information Model, VPN data is typically mapped to the Network Sessions data model and Authentication data model

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: