How to Configure a Custom Syslog Sender and Test User Mappings

61166

Created On 09/25/18 17:41 PM - Last Modified 06/09/23 05:40 AM

Next-Generation Firewall

Resolution

PAN-OS 6.0, 6.1

Overview

PAN-OS 6.0 introduced using the Palo Alto Networks firewall as a syslog listener, enabling the collection of syslogs from different network elements and mapping users to IP addresses, which can be used in security rules and policies.

With this feature enabled on the devices, a syslog listener is automatically configured on them, and will listen on port 514 if selected to be UDP. If configured to use SSL for encryption of the logs, a listener on port 6514 will be created. This option is not limited to the firewall only, and can also be configured on the User-ID Agent installed on a Windows Server. The Windows agent does not do SSL - UDP and TCP only (514 for both).

This document describes how to create a custom filter on the Palo Alto Networks firewall.

Note: From application content version 418, Palo Alto Networks includes a list of predefine syslog senders (called filters). Application updates can be downloaded and installed from the web UI (Device > Dynamic Updates).

Requirements:

Knowledge of the syslog sender logs.
Knowledge of the IP address of the sender.
Knowledge of the way the logs will be delivered (encrypted or non-encrypted)
Knowledge of the domain on which the users are connecting and if they use a “domain\” notation when logging in.
Decision between using a Field Identifier or a Regex Identifier

This document describes the configuration of this setup directly on the firewall. However, the procedure is the same if the configuration is performed on the User-ID Agent (as the same fields are configured in the same manner).

Steps

Analysis of the logs

Take a section of the log and determine the needed fields for user-ip mapping. This always needs to include the username, the IP address, the delimiters that the fields need, and the “Event String”. The event string tells the firewall that the user is successfully logged in, and both username and IP address need to be collected and then recorded into the user-ip mapping database.

The following syslog example shows a log from an Aruba wireless controller:

2013-03-20 12:56:53 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10> User Authentication Successful: username=ilija MAC=78:f5:fd:dd:ff:90 IP=10.200.27.67

2013-03-20 12:56:53 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10> User Authentication Successful: username=jovan MAC=78:f5:fd:dd:ff:90 IP=10.200.27.68 role=MUST-STAFF_UR VLAN=472 AP=00:1a:1e:c5:13:c0 SSID=MUST-DOT1X AAA profile=MUST-DOT1X_AAAP auth method=802.1x auth server=STAFF

2013-03-20 12:56:57 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10> User Authentication Successful: username=1209853ab111018 MAC=c0:9f:42:b4:c5:78 IP=10.200.36.176 role=Guest VLAN=436 AP=00:1a:1e:c5:13:ee SSID=Guest AAA profile=Guest auth method=Web auth server=Guest

2013-03-20 12:57:13 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10> User Authentication Successful: username=1109853ab111008 MAC=00:88:65:c4:13:55 IP=10.200.40.201 role=Guest VLAN=440 AP=00:1a:1e:c5:ed:11 SSID=Guest AAA profile=Guest auth method=Web auth server=Guest

From the analysis of the above log sample (a simple syslog output), the parsing can be handled using Field Identifiers.

For the Event String, search for the “User Authentication Successful:” string.
For the username prefix: “username=”
For the username delimiter: “\s”
For the address prefix: “IP=”
For the address delimiter: “\s”

Note: When the delimiter is an empty space in the syslog, a common mistake is to use either a blank space or “ ” in the delimiter field. This is not correct. Even if Regex Identifier is not used, '\s' is the correct way to represent the empty space as a delimiter. However, when configuring the same setting on the User-ID Agent, a blank space must be used as a delimiter, because '\s' is not recognized and an error will appear in the debug log.

Configuration

Define the Syslog Parser Profile which will be used for the Syslog events that are sent to the firewalls listener.
1. Go to Device > User Identification > User Mapping
2. Edit the "Palo Alto Networks User ID Agent Setup" section
3. Go to the Syslog Filter tab and add a new Syslog Parse Profile
4. Determine the type for the profile (Regex Identifier or Field Identifier) depending on the complexity of the logs
5. Enter the field values as determined from the analysis above:
Configure a server monitor
1. Go to Device > User Identification > User Mapping
2. Under the Server Monitoring section, add a new Server Monitor
3. Select Syslog Sender for Type
4. Select the appropriate settings for the Syslog Sender, which include: Connection Type, Filter (which, in this example, will be the one created in the previous steps), and Default Domain Name.
  Note: If Default Domain Name is used, the entered domain will be prepended to all users that are discovered through this server connection
When all the settings are complete, allow the connections to be established to the dedicated interfaces.
1. Go to Network > Network Profiles > Interface Mgmt
2. Select the User-ID-Syslog-Listener-UDP or User-ID-Syslog-Listener-SSL, depending on the connection type.
3. Attach the Management Profile to the Ethernet Interface, under the Advanced tab.
Test the connection and the parser from the server that is generating the logs.
Check if you are receiving the logs from the server sender, and if you are generating the mappings on the firewall.
For example: