https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160601#M52338 <P>In this case, if all 3 messages appear with a succesful login, the proposed solution will probably already work, because these strings will match only the first of the 3 messages.</P><P>In your WLC documentation or with the snmp MIB of your WLC you should be able to see which one is the correct one.</P> Sun, 11 Jun 2017 19:49:08 GMT Remo 2017-06-11T19:49:08Z https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160566#M52327 <P>I want to integrate WLC to Palo-Alto</P><P>I've done converting the snmp to syslog using rsyslog</P><P>But I don't get how to parse it in palo alto</P><P>&nbsp;</P><P>here 3&nbsp;syslog messages I got from wireshark when a user tries to login</P><P>Jun 10 14:08:37 localhost snmptrapd[10216]: 2017-06-10 14:08:37 &lt;UNKNOWN&gt; [UDP: [172.20.253.50]:32768-&gt;[172.20.10.43]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2630000) 7:18:20.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.599.0.4#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 60 D8 19 CD 36 11 #011SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP33-Barat"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 2C C8 67 33 90 #011SNMPv2-SMI::enterprises.9.9.513.1.2.1.1.1.0 = Gauge32: 0#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.20.40.3#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.27.0 = STRING: "amet"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.28.0 = STRING: "IPC_WIFI_NEW"</P><P>&nbsp;</P><P>Jun 10 14:08:37 localhost snmptrapd[10216]: 2017-06-10 14:08:37 &lt;UNKNOWN&gt; [UDP: [172.20.253.50]:32768-&gt;[172.20.10.43]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2630000) 7:18:20.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.599.0.8#011SNMPv2-SMI::enterprises.9.9.513.1.2.1.1.1.0 = Gauge32: 0#011SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0.44.200.103.51.144 = STRING: "AP33-Barat"#011SNMPv2-SMI::enterprises.9.9.599.1.3.2.1.2.0 = INTEGER: 1#011SNMPv2-SMI::enterprises.9.9.599.1.3.2.1.3.0 = Hex-STRING: AC 14 28 03 #011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.27.96.216.25.205.54.17 = STRING: "amet"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.28.96.216.25.205.54.17 = STRING: "IPC_WIFI_NEW"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.38.96.216.25.205.54.17 = ""#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.96.216.25.205.54.17 = Hex-STRING: 00 2C C8 67 33 90</P><P>&nbsp;</P><P>Jun 10 14:08:37 localhost snmptrapd[10216]: 2017-06-10 14:08:37 &lt;UNKNOWN&gt; [UDP: [172.20.253.50]:32768-&gt;[172.20.10.43]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2630000) 7:18:20.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.515.0.3#011SNMPv2-SMI::enterprises.9.9.515.1.1.0 = STRING: "amet"#011SNMPv2-SMI::enterprises.9.9.515.2.5.1.1.6.0 = Hex-STRING: 00 2C C8 67 33 90 #011SNMPv2-SMI::enterprises.9.9.515.2.5.1.1.3.0 = Hex-STRING: 60 D8 19 CD 36 11 #011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.20.40.3#011SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP33-Barat"</P><P>&nbsp;</P><P>The user info is</P><P>username = amet</P><P>IP user = 172.20.40.3</P><P>&nbsp;</P><P>Could you please let me know which is,</P><P>- event string</P><P>- username prefix</P><P>- username delimiter</P><P>- address prefix</P><P>- address delimiter</P><P>&nbsp;</P><P>Thanks in advance</P> Sat, 10 Jun 2017 21:20:20 GMT https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160566#M52327 mzharfan 2017-06-10T21:20:20Z https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160595#M52333 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/65811">@mzharfan</a></P><P>&nbsp;</P><P>Is there a user only "trying" to log in or is one of these 3 messages a successful login event? The explanation for these fields you also find here:&nbsp;<A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/configure-user-id-to-monitor-syslog-senders-for-user-mapping#_81430" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/configure-user-id-to-monitor-syslog-senders-for-user-mapping#_81430</A></P><P>&nbsp;</P><P>So for this example I assume the first is a successful login event:</P><P>Event string:&nbsp;<SPAN>9.9.599.1.3.1.1.1.0</SPAN></P><P>Username prefix:&nbsp;<SPAN>.9.9.599.1.3.1.1.27.0 = STRING: "</SPAN></P><P><SPAN>Username delimiter: "</SPAN></P><P><SPAN>Address prefix:&nbsp; IpAddress:&nbsp;</SPAN></P><P><SPAN>Address delimiter: \s</SPAN></P><P>&nbsp;</P><P><SPAN>Or the whole thing with regex:</SPAN></P><P><SPAN>Event regex: (9.9.599.1.3.1.1.1.0){1}</SPAN></P><P><SPAN>Username regex:&nbsp;\.9\.9\.599\.1\.3\.1\.1\.27\.0\s=\sSTRING:\s"([a-zA-Z0-9\\\._]+)</SPAN></P><P><SPAN>Address regex: IpAddress:\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})</SPAN></P> Sun, 11 Jun 2017 10:42:51 GMT https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160595#M52333 Remo 2017-06-11T10:42:51Z https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160598#M52336 all those 3 messages appear when a user login (successfully), I don't know which one is the successful login event Sun, 11 Jun 2017 14:23:54 GMT https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160598#M52336 mzharfan 2017-06-11T14:23:54Z https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160601#M52338 <P>In this case, if all 3 messages appear with a succesful login, the proposed solution will probably already work, because these strings will match only the first of the 3 messages.</P><P>In your WLC documentation or with the snmp MIB of your WLC you should be able to see which one is the correct one.</P> Sun, 11 Jun 2017 19:49:08 GMT https://live.paloaltonetworks.com/t5/general-topics/parse-rsyslog-message/m-p/160601#M52338 Remo 2017-06-11T19:49:08Z