Source User Information from Syslog push to PA

clonesheep — Wed, 05 Dec 2018 10:47:04 GMT

Hi we use Aerohive AP and from there i get syslogs at my Kiwi Syslog Server. Like this one:

ah_auth: add new RT sta: MAC=xxxxxxxx, IP=10.100.100.20, hostname=xxxxx, username=xxxxxx on wifi0.7

And now i need this information in the PA because there i only see in the traffic monitor the Source IP Adress from the AP and no Source User.

How can i configure that the PA can take the log information from the kiwi syslog? Or is there an easy way to take the Aerohive Login/logout and device informations to the firewall?

Aerohive and Palo Alto Network have a cooperation... https://manualzz.com/doc/23623919/aerohive-and-palo-alto-networks

Re: Source User Information from Syslog push to PA

BPry — Wed, 05 Dec 2018 18:58:43 GMT

@clonesheep

Easiest way would be to configure the User-ID agent as a syslog listener, and then build out a syslog filter to identify a login and logout event. I believe the Aerohive AP v1.0.0 Syslog Parse Profile actually looks like it would work for your login event.

topic Re: Source User Information from Syslog push to PA in General Topics

Source User Information from Syslog push to PA

Re: Source User Information from Syslog push to PA