topic Re: access logs from bluecoat proxy to windows user-id agent in General Topics

access logs from bluecoat proxy to windows user-id agent

fwguy77 — Sun, 26 Jun 2016 05:02:44 GMT

Trying to get bluecoat proxy to send its access logs to windows user-id agent. configured custom log on bluecoat in the following format

PAN Source=$(c-ip) Username=$(cs-username) Action=$(s-action)

On user-id agent side I am seeing server receiving syslog messages in the format specified

PAN Source=x.x.x.x Username=usernamexxx Action=TCP_HIT

PAN Source=x.x.x.x Username=usernamexxx Action=TUNNELED

...

User-ID agent is confiured with parse filter using Field

Event String: PAN

Username Prefix: Username=

Username Delimeter: \s

Address Prefix: Source=

Address Delimeter: \s

In the UaDebug keep seeing this error

[Error 592]: Syslog msg len read error

Anyone run into the same issue?

What am I doing wrong?

Re: access logs from bluecoat proxy to windows user-id agent

rmonvon — Tue, 28 Jun 2016 13:58:32 GMT

Can you instruct the BlueCoat to separate the fields with a comma or semi-colon? Then change the setting on the PA to match the delimiter:

Username Delimeter: ,
Address Delimeter: ,

I think the \s is used for regex matching whereas the field match is an exact match and the PA was trying to match \s exactly.

Re: access logs from bluecoat proxy to windows user-id agent

fwguy77 — Wed, 29 Jun 2016 00:50:29 GMT

Thank you rmonvon. No result 😞

I see in verbose output that it is processing syslog, but then it shows error at the end.

For example first message in a syslog would be

PFW Source=some ip,Username=johns,Action=TCP_HIT

06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping P
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping F
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping W
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping S
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping o
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping u
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping r
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping c
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping e
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping =
06/28/16 20:44:58:388[Verbo 596]: Syslog msg len is 10
06/28/16 20:44:58:388[Debug 371]: Syslog: Unable to display contents of message, it exceeds the length debug messages allow.
06/28/16 20:44:58:388[Verbo 615]: recv 0-2047, msg 23-22
06/28/16 20:44:58:388[Verbo 596]: Syslog msg len is 4
06/28/16 20:44:58:388[Debug 371]: Syslog: Unable to display contents of message, it exceeds the length debug messages allow.
06/28/16 20:44:58:388[Verbo 615]: recv 0-2047, msg 28-27
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping r
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping n
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping a
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping m
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping e
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping =
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping j
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping o
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping h
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping n
06/28/16 20:44:58:388[Verbo 617]: Syslog msg, skipping s
06/28/16 20:44:58:388[Error 592]: Syslog msg len read error

I will try to make a single message shorter

Re: access logs from bluecoat proxy to windows user-id agent

rmonvon — Wed, 29 Jun 2016 02:38:29 GMT

Can you take a screenshot of the syslog field settings on the PA and post it here?

Also, do you have a syslog server like Kiwi syslog server that you can point the BlueCoat to? We want to confirm the exact syslog output that is being forwarded.

Re: access logs from bluecoat proxy to windows user-id agent

fwguy77 — Wed, 29 Jun 2016 05:44:49 GMT

I don't have kiwi, but I have wireshark running on windows box where user-id agent is installed and I am seeing in wireshark something like below

TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_POLICY_REDIRECT,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_CLIENT_REFRESH,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_HIT,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TUNNELED,u:johns,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_DENIED,u:-,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_ACCELERATED,u:johns,s:10.1.1.100
TCP_NC_MISS,u:johns,s:10.1.1.100

Re: access logs from bluecoat proxy to windows user-id agent

rmonvon — Fri, 01 Jul 2016 15:00:47 GMT

{edit]

There is no comma after the IP address, and we specify the address delimiter has a comma. Can you add another syslog field after the IP address to get the comma into the syslog message?

Other than that, I can't see anything wrong with your setup. The syslog messages match against the fields & delimiters. I would check the agent itself. Restart the agent & maybe re-install agent. Or just install another version of the agent on another server as a test. Open a support case & have it diagnose is another option.

Thanks.

Re: access logs from bluecoat proxy to windows user-id agent

fwguy77 — Tue, 05 Jul 2016 08:24:32 GMT

adding comma did not help.

I am getting the same failure still in vervose log on user-id agent

07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping T
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping U
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping N
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping N
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping E
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping L
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping E
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping D
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping ,
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping u
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping :
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping j
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping o
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping h
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping n
07/05/16 04:16:27:439[Verbo 617]: Syslog msg, skipping s
07/05/16 04:16:27:439[Error 592]: Syslog msg len read error
07/05/16 04:16:27:439[Debug 355]: Event: type="XML API connection" name="<edited proxy IP>" status="Disconnected

I did create a support case, but it appears they are scratching their head too.

I think it may have something to with amount of data bluecoat is trying to send. It does not send syslog messages as individual messages, rather many of them at once.

Re: access logs from bluecoat proxy to windows user-id agent

rmonvon — Tue, 05 Jul 2016 14:32:08 GMT

Humm, that is odd. Any chance you can try the onbox agent on the PA or spinning a new agent on another Win server? Or try a different release 6.x or 7.x agent?

Re: access logs from bluecoat proxy to windows user-id agent

netwerkbeheer_aswatson — Tue, 06 Dec 2022 15:39:18 GMT

We have the same issue in the palo agent is there more information or a solution?