topic Troubleshooting User-ID from syslog listener in General Topics

Troubleshooting User-ID from syslog listener

GeoffSweet — Thu, 08 Jun 2017 21:53:39 GMT

I've configured my 5050's to be Syslog Listeners for a couple sources so that I can parse User-ID information out of them. I did so following this document here. I can see via the command

show user server-monitor state XXX

that I am receiving log messages, but so far none of the are registering "success messages". I'm having a hell of a time getting a packet capture to show the inbound Syslog messages so I can inspect that I am getting what I expect. Both pcap from the gui and tcpdump from the CLI isn't showing anything. Is there a way to just simply tail the underlying syslog file on the local 5050 to see what it is receiving?

Re: Troubleshooting User-ID from syslog listener

TranceforLife — Thu, 08 Jun 2017 22:28:35 GMT

Hi,

We had Captive Portal issue recently, and palo was configured as syslog listener. TAC was doing a pcap from GUI in order to confirm the format of the syslog messages. So you are on the right way. Did you configure your syslog server to forward the syslogsto to palo, did you check if you can reach palo successfully from the syslog server? I believe your mgmt profile is attached to the correct interface with syslog options ticked.

Re: Troubleshooting User-ID from syslog listener

ansharma — Fri, 09 Jun 2017 00:39:01 GMT

Hi Geoff,

Have you enabled syslog listener on the management profile?

Once you have that committed, you are sure to receive SYSLOG packets in tcpdump. Maybe check/remove any filter you got while taking a tcpdump.

Run the following commands and check logs.

admin@anuragFW> debug user-id on debug

admin@anuragFW> debug user-id set userid syslog

admin@anuragFW> tail follow yes mp-log useridd.log

Then, to verify your regex/filter expression use the following commands:

admin@anuragFW> test user-id user-id-syslog-parse regex-identifier event-regex <value> username-regex <value> address-regex <value> log-string <value>
admin@anuragFW> test user-id user-id-syslog-parse field-identifier event-string <value> username-prefix <value> username-delimiter <value> address-prefix <value> address-delimiter <value> log-string <value

If you are having trouble figuring out which regex is not being read correctly, feed the log-string values different sections of syslog messages. That's just something you gotta play around and figure out. Some special characters need to be escaped while some will not be allowed.

You can post a sample of syslog messages and we could possibly look into it.

Hope this helps.

Regards,

Anurag

Re: Troubleshooting User-ID from syslog listener

fjwcash — Thu, 11 Apr 2019 19:40:21 GMT

@ansharma wrote:

Then, to verify your regex/filter expression use the following commands:

admin@anuragFW> test user-id user-id-syslog-parse regex-identifier event-regex <value> username-regex <value> address-regex <value> log-string <value>
admin@anuragFW> test user-id user-id-syslog-parse field-identifier event-string <value> username-prefix <value> username-delimiter <value> address-prefix <value> address-delimiter <value> log-string <value

If you are having trouble figuring out which regex is not being read correctly, feed the log-string values different sections of syslog messages. That's just something you gotta play around and figure out. Some special characters need to be escaped while some will not be allowed.

Thank you! Those "test user-id" commands were exactly what I've been searching for. Trying to get a custom syslog filter working has been a pain, especially since the online regex tools say they work, but there's no logs on the PA200 to check if it's working or not.

You saved me a lot of desk-head interactions today. 😄