topic Re: Is there a way to automate reporting of "auth-fail" system log messages? in General Topics

Is there a way to automate reporting of "auth-fail" system log messages?

dwgg — Wed, 03 Oct 2012 18:08:03 GMT

Hi,

I'm looking for a way to automatically/proactively report on auth-fail system log messages and not finding anything obvious. Some things I've tried;

1. I can send email under log-settings -> system -> informational, but a bit too chatty with all the other messages and only interested in auth failures for VPN connections.

2. I created a filter for ( eventid eq auth-fail ) under log -> system,, and can export it to and excel spread sheet which is what I'm looking for but not automated.

3. I looked in PDF reports -> custom reports -> add, but there is not an option to look at the "system logs" there. This seems like the way to go but does not look possible yet.

Seems like this may be a feature request to add support for system logs. Any other ideas would be greatly appreciated.

Thanks,

Dave

Re: Is there a way to automate reporting of "auth-fail" system log messages?

ppatel — Wed, 03 Oct 2012 19:00:52 GMT

Hi Dave,

I think at this time you have possibly tried each and every scenario. I am not sure if this can be achieved using XML API but it is worth giving a try.

Appears to me like a Feature Request.

Regards

Parth

Re: Is there a way to automate reporting of "auth-fail" system log messages?

ppatel — Wed, 03 Oct 2012 19:17:31 GMT

Dave,

However other than reporting, you can also manage to export logs for informational level only to the syslog server

event-id == auth-fail is of informational severity.

Link to the document:- https://live.paloaltonetworks.com/docs/DOC-3817

Let me know if that helps.

Regards

Parth

Re: Is there a way to automate reporting of "auth-fail" system log messages?

dwgg — Wed, 03 Oct 2012 20:51:43 GMT

Hi Parth,

Thanks for the feedback. I currently syslog to syslog-ng but looks like long term I will need to forward to splunk and have it do the alerting on and "auth-fail" messages. I will also see the feature request works for the short term.

Thanks,

Dave

Re: Is there a way to automate reporting of "auth-fail" system log messages?

mikand — Thu, 04 Oct 2012 07:57:22 GMT

Speaking of auth-fail (and auth-success), is it me or doesnt PA log which account name was fail/success along with client ip who attempted this?

I have already filed this to my support (among some other CEF related questions) but I was thinking if someone in here already have been digging into this?

Re: Is there a way to automate reporting of "auth-fail" system log messages?

dwgg — Thu, 04 Oct 2012 16:01:08 GMT

I see all that information in logs;

4/26/2012 12:26	auth-fail general	informational	User 'xxx' failed authentication. Reason: Invalid username/password From: 10.x.x.x.
4/18/2012 15:34	auth-fail general	informational	User 'xxx' failed authentication. Reason: Invalid username/password From: 10.x.x.x.

Re: Is there a way to automate reporting of "auth-fail" system log messages?

mikand — Thu, 04 Oct 2012 17:53:49 GMT

Hmm, thanks for the reply... then its some error related to CEF (or configuration of it or receiving of it).

Re: Is there a way to automate reporting of "auth-fail" system log messages?

parichie — Wed, 18 Jun 2014 00:46:45 GMT

I would like to receive an email everytime auth-fail (and auth-success) occurs. This is available in Cisco ASA, hopefully PA will include such granular options soon

Re: Is there a way to automate reporting of "auth-fail" system log messages?

CoreySteele — Mon, 04 May 2015 20:52:33 GMT

Since this question was originally asked in 2012, I would *HOPE* some progress has been made on this... I was working with a client today who requested this and I went to write a custom report and was astonished that I couldn't find an easy solution to providing this report. Why would the Configuration and System logs be exempt from the Custom Report builder?!?!? This makes NO SENSE as an end-user. I'm sure there's either a technical reason or a really (really) poor business reason, but either way, this seems like a reasonable and somewhat essential request.

Cheers,

Corey

ATTN: mlutgen

Re: Is there a way to automate reporting of "auth-fail" system log messages?

bspilde — Tue, 05 May 2015 04:14:08 GMT

I agree, there should be a way to easily do this. The only way I can see that it is possible currently aside from using a SEIM or Kiwi based alert would be to email every Informational log entry. You could selectively send informational logs to a Kiwi server. In Kiwi or SolarWinds it could discard everything but the auth-fail informational messages and alert on those.

It is something built right into several products, including FortiGate firewalls. It would be great if those logs were built into the reporting fuction on the PA.

mlutgen, cjsteele