Monitoring Secure Socket Tunneling Protocol (SSTP) VPN session duration and usage is critical for capacity planning, security auditing, billing and compliance. SSTP is commonly deployed on Windows RRAS, SoftEther and some gateway appliances; its reliance on TLS and HTTP/S transport makes traffic analysis and session tracking slightly different from other VPN types. This article provides practical, technical guidance and tools for capturing accurate session durations, bandwidth usage, and activity patterns, aimed at site administrators, enterprise operators and developers who manage dedicated-IP VPN infrastructure.

What to measure and why

Before choosing tools or designing a pipeline, define the metrics you need. Typical measurements include:

  • Session start and stop timestamps — true session duration
  • Interim updates — keepalive/reauth events that indicate a continued session
  • Total bytes in/out per session — used for billing and capacity planning
  • Peak throughput and per-second rates — for QoS and scaling
  • Concurrent session counts — for license and capacity limits
  • Source/destination IPs and assigned virtual IP — for auditing and anomaly detection
  • Authentication method and user/group — helps with policy and security

Primary data sources for SSTP session information

Combining multiple sources increases fidelity and reduces blind spots. Common sources:

RADIUS accounting

RADIUS accounting (Acct-Status-Type = Start/Stop/Interim-Update) is the most reliable centralized source for session lifecycle and byte counters. When SSTP servers are configured to use RADIUS (e.g., Microsoft NPS or FreeRADIUS), each session generates accounting records with user, NAS-IP, framed-IP-address, Acct-Start-Time, Acct-Stop-Time and Acct-Output-Octets/Acct-Input-Octets. Configure short interval Interim-Update (e.g., 5 minutes) to get near real-time usage reporting and to mitigate loss due to unclean disconnects.

VPN server logs (RRAS, SoftEther, appliances)

Windows RRAS emits tracing logs and event logs; SoftEther and other platforms have their own verbose logs. For RRAS, enable Remote Access logging and the RemoteAccess-Operational channel to capture connection events. For appliances, enable session and accounting logging. Parse these logs for session start/stop events and correlation IDs if RADIUS is absent.

Network flow telemetry (NetFlow/IPFIX/sFlow)

NetFlow or IPFIX records from edge routers provide byte-level flow counters and can be correlated with session timeframes to calculate per-session throughput and detect large transfers. Because SSTP encapsulates traffic over TCP/443, you need to correlate flows by the assigned virtual IP (framed-IP) or by source NAT IP if virtual IPs are not available.

SNMP and system metrics

SNMP counters offer total interface bytes and concurrent session counts on some devices. Use SNMP for coarse-grained tracking (aggregate throughput and interface errors). Combine SNMP polling with flow and accounting data for completeness.

Recommended monitoring architecture

The following architecture balances real-time needs, historical analysis, and scalability:

  • Ingest RADIUS accounting and VPN server logs into a centralized queue (e.g., Kafka, Redis, or a simple file shipper like Filebeat).
  • Use a processing layer (Logstash, Fluentd, or custom service) to normalize records into a canonical session model.
  • Store short-term time series in Prometheus or InfluxDB for real-time dashboards and alerting.
  • Store long-term session and per-user aggregates in a relational or analytical store (PostgreSQL, ClickHouse, or Elasticsearch) for reporting and billing.
  • Visualize with Grafana for metrics and Kibana/Grafana for log-based queries.

Canonical session data model

Create a normalized schema to enable easy queries. Example fields (SQL-friendly):

  • session_id (varchar) — unique identifier (RADIUS Acct-Session-Id or generated hash)
  • username (varchar)
  • nas_ip (inet)
  • virtual_ip (inet)
  • start_time (timestamp)
  • stop_time (timestamp nullable)
  • last_update_time (timestamp)
  • input_bytes bigint
  • output_bytes bigint
  • max_bps integer (optional)
  • auth_method varchar
  • disconnect_reason varchar

Populate and update the row on Start, Interim-Update and Stop accounting messages. For robustness, use transactions or upserts when updating by session_id.

Practical tooling and examples

RADIUS accounting with FreeRADIUS + PostgreSQL

FreeRADIUS can write accounting records directly to SQL. Configure the accounting SQL module to insert into your session table. Use Acct-Status-Type to determine action: Start = insert, Interim-Update = update bytes and last_update_time, Stop = update stop_time and final bytes. Enable delayed interim handling to guard against duplicate accounting packets.

Windows RRAS: Remote Access PowerShell

Modern Windows Server provides RemoteAccess PowerShell cmdlets. Useful commands include Get-RemoteAccessConnectionStatistics and Get-RemoteAccessConnection. Example workflow:

1) Query active connections periodically to capture concurrent session counts and assigned IPs.

2) Correlate with NPS accounting records. If you cannot rely on RADIUS, poll Get-RemoteAccessConnection to infer session starts and ends and write to the canonical store.

Parsing logs with regex and Logstash

Use Logstash grok patterns or Fluentd parsers to extract session IDs, usernames and timestamps. Example grok patterns should capture common tokens like “Acct-Session-Id=”, “User-Name=” and byte counters. Implement rate-limiting and backoff to avoid parsing overload during bursts.

NetFlow/IPFIX correlation

Collect flows at the network edge and export to a collector (nfdump, nfsen, or commercial collectors). To compute bytes per VPN session, filter flows where the source or destination equals the virtual IP assigned to the user. Join by time window and session_id to compute per-session totals and peak rates. For NATed traffic, correlate by remote peer IP and unique TCP 5-tuple if necessary.

Alerting and dashboards

Create operational alerts and user-facing reports:

  • Alert on sudden spike in session count or aggregate throughput — possible attack or configuration issue
  • Alert when sessions exceed policy duration or bandwidth quotas
  • Dashboards showing active sessions, top talkers, bytes per user, and 24/7 trend lines
  • Billing reports that aggregate bytes per user per billing interval

Use Grafana for metric dashboards and configure Prometheus alertmanager to send email, Slack or webhook alerts on thresholds. For log-based anomalies (e.g., repeated failed reauth), use Elasticsearch + Kibana or the ELK stack.

Handling edge cases and inaccuracies

Plan for these common issues:

  • Unclean disconnects: If a client disappears without sending a Stop record, rely on Interim-Update aging and RADIUS timeouts. Implement server-side session expiration after N minutes of inactivity and mark stop_time accordingly.
  • Accounting duplication: Use idempotent upserts keyed by session_id and handle duplicate packets by comparing last_update_time.
  • NAT and shared public IPs: If virtual IPs are not unique, enrich records with TCP/UDP ports or allocate unique session cookies on authentication to correlate flows.
  • Clock skew: Ensure all systems use NTP to avoid mismatched timestamps between RADIUS, VPN servers and flow collectors.

Performance and storage considerations

High-volume VPN services can generate large amounts of accounting and flow data. Recommendations:

  • Compress and partition logs by date and customer to speed queries.
  • Use columnar databases (ClickHouse) for long-term analytic workloads when you need fast aggregations over billions of rows.
  • Store raw Interim-Update frequency at a reasonable interval (e.g., 5–15 minutes) to balance granularity and storage.
  • Archive older raw data but keep aggregates (daily/weekly) for billing and compliance.

Security, privacy and compliance

Because session records contain IPs and user identifiers, apply appropriate protections:

  • Encrypt data in transit and at rest. Use TLS for all collectors and database connections.
  • Apply RBAC and audit access to session data.
  • Retain only what’s necessary for compliance and billing. Mask or pseudonymize usernames for analytics when possible.
  • Follow GDPR and local privacy rules: provide data retention policies and deletion procedures for user requests.

Automation and APIs

Expose session queries through a secure API for dashboards and billing systems. Implement endpoints such as:

  • /api/sessions/active — returns active sessions with pagination
  • /api/sessions/{session_id} — session details and bytes over time
  • /api/usage/user/{username}?start=&end= — aggregated usage for billing

Protect APIs with OAuth2 or token-based auth and rate-limit to prevent abuse. Provide CSV exports for accounting and automated invoice generation.

Operational checklist

  • Configure RADIUS accounting with Start/Stop/Interim-Update; set interim interval appropriately.
  • Enable verbose VPN server logging and centralize logs.
  • Collect NetFlow/IPFIX for byte-accurate forensic analysis.
  • Normalize session records into a canonical database schema.
  • Visualize usage and set alerts for anomalies and policy violations.
  • Implement retention, encryption and access control for session data.

Monitoring SSTP session duration and usage requires integrating authentication accounting, VPN server logs and network flow telemetry into a cohesive pipeline. Using RADIUS accounting as the primary source, enriching with flows and SNMP, and persisting normalized session records allows accurate duration, usage and billing reporting while supporting alerting and compliance needs.

For tooling, open-source stacks such as FreeRADIUS + PostgreSQL, Filebeat/Logstash + ELK, NetFlow collectors + ClickHouse, and dashboards in Grafana will cover most operational requirements. Where deep integration with Windows is necessary, leverage the RemoteAccess PowerShell module to gather supplementary state.

To learn more about dedicated-IP VPN operational best practices and advanced monitoring patterns, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.