Log all VPN connection events:
- Connection attempts (successful and failed)
- Source IP addresses
- Authentication methods used
- Duration of sessions
- Bytes transferred
Failed authentication attempts indicate credential attacks. Connections from unusual locations suggest compromised accounts. Long-running sessions with high data transfer warrant investigation. Send logs to your SIEM for correlation with other security events.