topic Re: How to test regex for syslog parsing correctly or not for user-ID? in General Topics

How to test regex for syslog parsing correctly or not for user-ID?

faizankhurshid — Fri, 06 Jul 2018 10:07:24 GMT

Hello

Syslog server is sending logs to firewall for user-ID parsing.

1- How can I verify that logs are receiving on firewall?

2- How can I test, my custom parser is working to identify the user/ip mapping?

Re: How to test regex for syslog parsing correctly or not for user-ID?

LukeBullimore — Fri, 06 Jul 2018 12:48:26 GMT

Hi @faizankhurshid

For both of your questions, you can check the Monitor -> User-ID logs, filtering for the datasource of your syslog sender.

If the parse filter is set up correcltly, you should see the usernames being correctly popualted in the "username" column as opposed to some string you don't want like a MAC address or something else wrong entirely.

Thanks,

Luke.

Re: How to test regex for syslog parsing correctly or not for user-ID?

faizankhurshid — Fri, 06 Jul 2018 15:05:42 GMT

@LukeBullimore Thanks but when I am running below command, I am seeing 'number of auth success messages 0)

admin@PA-5050> show user server-monitor state Syslog2

UDP Syslog Listener Service is enabled

SSL Syslog Listener Service is disabled

Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41)

number of log messages : 6

number of auth. success messages : 0

Also, I am not able to see any user-ip mapping from syslog (even if it is wrong). So means messages are comming from syslog but parser should give me correct or wrong username/ip mapping?

Re: How to test regex for syslog parsing correctly or not for user-ID?

BPry — Sat, 07 Jul 2018 00:51:01 GMT

@faizankhurshid,

Currect. You've recorded 6 messages from that host but your custom parser didn't actually succesfully map the UID for whatever reason.

Re: How to test regex for syslog parsing correctly or not for user-ID?

faizankhurshid — Sat, 07 Jul 2018 06:38:24 GMT

@BPry thanks. Is there any way to troubleshoot that my custom parser is matching (any CLI comamnd in firewall) or if my custom parser is not matching, then how can I troubleshoot this?

Also from syslog, I noticed that username is in different line of log and IP is in different line of log? Does multiline matching is supported with syslog or I have to use SSL?

Re: How to test regex for syslog parsing correctly or not for user-ID?

BPry — Sun, 08 Jul 2018 10:17:18 GMT

@faizankhurshid,

I'm not sure that the firewall really has a built in way of testing a parser outside of simply seeing if you are getting the syslog messages and seeing if they are mapping any of the users. Since the parser is telling the firewall how to read the logs there really isn't a way to 'test' this as your telling it what the actual message even says.

Things to keep in mind when using Syslog over SSL

- Each syslog message must be a single line text string. Line breaks are delimited by a carriage return and a new line (\r\n) or a new line (\n). So essentially yes you would fully expect the username and the IP in different lines of the log, that's perfectly fine and what you need to get this to work.

- The maximum allowed bytes is 2048 for any one message, so make sure you aren't surpassing that as the messages would get dropped.

Re: How to test regex for syslog parsing correctly or not for user-ID?

Remo — Sun, 08 Jul 2018 20:39:42 GMT

To test your regex string you can use one of the online test tools. My favourite one is this one here: https://regex101.com