topic Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500 in General Topics

Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

MelLi — Mon, 02 Mar 2015 05:32:46 GMT

Hi Guys,

Just wondering if there is any documentation for verifying the syntax in PA-500 that is configured correctly to identify UserID data from a Cisco 3850 Intergrated WLD via a dedicated Syslog server.

Cisco 3850 uses the IOS-XE platform.

Thanks,

Cheers,

Mel

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

MelLi — Mon, 02 Mar 2015 23:53:12 GMT

Hi,

Can anyone please help to point me to the right direction?

Thanks,

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

jthakur — Tue, 03 Mar 2015 00:42:42 GMT

Could you past the syslogs event to get better idea about the strings ?

And give a try for "Field Identifier" which is easier than regex.

Thanks

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

MelLi — Tue, 03 Mar 2015 02:33:15 GMT

Hi Jthakur,

Thanks for your reply.

Please find a sample of the data

Feb 27 16:18:52 syslog1 snmptrapd[2559]: 2015-02-27 16:18:52 10.5.80.1(via UDP: [10.5.80.1]:1028->[10.5.80.47]:162) TRAP, SNMP v1, community public#012#011iso.3.6.1.4.1.14179.2.6.3 Enterprise Specific Trap (53) Uptime: 78 days, 7:24:55.14#012#011iso.3.6.1.4.1.14179.2.6.2.35.0 = Hex-STRING: F8 4F 57 A4 C2 B0 #011iso.3.6.1.4.1.14179.2.6.2.36.0 = INTEGER: 0#011iso.3.6.1.4.1.14179.2.6.2.43.0 = IpAddress: 10.5.185.5#011iso.3.6.1.4.1.14179.2.6.2.34.0 = Hex-STRING: D8 96 95 11 3D 8F #011iso.3.6.1.4.1.14179.2.6.2.39.0 = STRING: "sarah.harris"#011iso.3.6.1.4.1.14179.2.2.1.1.3.6.248.79.87.164.194.176 = STRING: "WAP-001”

We have used the document https://live.paloaltonetworks.com/docs/DOC-8771

However,the date output is completely different between the WLC5500 and 3850. Is there any other document we can refer to?

Thanks,

Cheers,

Mel

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

jthakur — Tue, 03 Mar 2015 04:18:25 GMT

Your regex appears to be correct. But I am not sure how PAN is interpreting #012 and #011. #011 is HT and #012 is LF in ASCII.

Below is a command used to test regex for syslog.

debug user-id test user-id-syslog-parse regex-identifier event-regex "Enterprise Specific Trap" username-regex "3.6.1.4.1.14179.2.6.2.39.0 = STRING: " address-regex "IpAddress: " log-string "syslog string".

For "Field Identifier" you can try below example strings.

Event String -> Enterprise Specific Trap

Username Prefix -> 3.6.1.4.1.14179.2.6.2.39.0 = STRING:

Username Delimiter -> \s

Address Prefix -> 3.6.1.4.1.14179.2.6.2.43.0 = IpAddress:

Address Delimiter -> \s

Try to replace \s with #011 if above delimiter doesn't work.

Thanks

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

MelLi — Wed, 04 Mar 2015 03:05:48 GMT

Hi Jthakur,

Thank you for your suggestions. But there is still no success from our end.

Please find our amended config using Field Identifier rather than Regex, in addition another SNMP trap from our test machine.

Mar 4 13:00:27 syslog1 snmptrapd[2559]: 2015-03-04 13:00:27 10.5.80.1(via UDP: [10.5.80.1]:1028->[10.5.80.47]:162) TRAP, SNMP v1, community public#012#011iso.3.6.1.4.1.14179.2.6.3 Enterprise Specific Trap (53) Uptime: 83 days, 4:06:36.07#012#011iso.3.6.1.4.1.14179.2.6.2.35.0 = Hex-STRING: F8 4F 57 A4 C2 B0 #011iso.3.6.1.4.1.14179.2.6.2.36.0 = INTEGER: 0#011iso.3.6.1.4.1.14179.2.6.2.43.0 = IpAddress: 10.5.185.2#011iso.3.6.1.4.1.14179.2.6.2.34.0 = Hex-STRING: E4 CE 8F 5B A5 54 #011iso.3.6.1.4.1.14179.2.6.2.39.0 = STRING: "test.staff"#011iso.3.6.1.4.1.14179.2.2.1.1.3.6.248.79.87.164.194.176 = STRING: "WAP-001”

Doing a TCP dump, we can certainly verify that the PAN is receiving the messages.

Is there any debugging commands we can use on the PAN to see whether the device is interpreting the messages correctly?

We can see the below output from our PAN:

Proxy: syslog1(vsys: vsys1) Host: syslog1(10.5.80.47)

number of log messages : 75255

number of auth. success messages : 0

kris.kopicki@gw> show user server-monitor state syslog1

UDP Syslog Listener Service is enabled

SSL Syslog Listener Service is enabled

Proxy: syslog1(vsys: vsys1) Host: syslog1(10.5.80.47)

number of log messages : 75259

number of auth. success messages : 0

Have you got any suggestions? Should we open a support case for this?

Thanks in advance.

Cheers,

Mel

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

jthakur — Wed, 04 Mar 2015 03:59:10 GMT

Hi Mel,

I used the debug user-id command for syslog strings given as example in below and it it worked fine.

How to Configure a Custom Syslog Sender and Test User Mappings

> debug user-id test user-id-syslog-parse field-identifier event-string "User Authentication Successful:" username-prefix "username=" username-delimiter "\s" address-prefix "IP=" address-delimiter "\s" log-string "2013-03-20 12:56:53 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10> User Authentication Successful: username=ilija MAC=78:f5:fd:dd:ff:90 IP=10.200.27.67"

Field parsing successful, Username 'ilija', Address '10.200.27.67'

Which syslog server you are using? Can it convert snmp trap to syslog format? I did some research and found this link and I hope it is helpful in fixing the problem.

Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

Please check the above two links and if still no success, then you can open a case with support.

Thanks

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Oleksandr — Tue, 14 Jul 2015 16:50:19 GMT

For "Field Identifier" I use the following strings:

Username Prefix -> cldcClientUsername.0=

Username Delimiter -> ,

Address Prefix -> cldcClientIPAddress.0=

Address Delimiter -> ,

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

mikealanni — Mon, 11 Dec 2017 17:02:24 GMT

Please can you help me with Cisco iOS XE configuration how to send the snmp traps (or syslog) to kiwi syslog or the firewall?

I mean what is the commands in Cisco iOS that generate client IP addressa and username (like aa accounting, radius-server and snmp-server commands)

Sorry I don't have much experiance with cisco on this manner.

Mike