Cisco Anyconnect Regex for User-ID

L2 Linker

Cisco Anyconnect Regex for User-ID

We're using Cisco Anyconnect version 3.1 and are having issues using the syslog user-id receiver in panos 6.1.3. The default syslog profile for cisco anyconnect 1.0 and the regex entriy doesn't correctly interpet the correct user id dhcp assigned IP address. Need help ASAP creating new or correct regex.

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolicy <GroupPolicy_TEST> User <johndoe> IP <1.1.1.1> No IPv6 address available for SVC connection

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-4-722051: Group <GroupPolicy_SWITCHADMIN> User < johndoe> IP <1.1.1.1> IPv4 Address <2.2.2.2> IPv6 address <::> assigned to session

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-5-722033: Group <GroupPolicy_SWITCHADMIN> User < johndoe> IP <1.1.1.1> First TCP SVC connection established for SVC session.

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-6-722022: Group <GroupPolicy_SWITCHADMIN> User < johndoe> IP <1.1.1.1> TCP SVC connection established without compression

Only for event containing  “%ASA-4-722051:”

User should be johndoe

IP should be IPv4 Address 2.2.2.2

Not applicable

Re: Cisco Anyconnect Regex for User-ID

I've been on the phone with support for the last few days and I am having the EXACT same issue.  Same panos and anyconnect version.  I think it has something to do with the regex setting looking at the first ip which should be public but I'm not sure.  I wish I knew regex better.  Someone PLEASE HELP!

L4 Transporter

Re: Cisco Anyconnect Regex for User-ID

Hello pnielsen,

Recommend the following setting using Field Identifier instead of Regex in your Syslog Parse Profile.

Should collect information from the logs with matching Event String:"%ASA-4-722051:"  with information needed for UserID.

Only for event containing  “%ASA-4-722051:”

User should be johndoe

IP should be IPv4 Address 2.2.2.2

L2 Linker

Re: Cisco Anyconnect Regex for User-ID

I came to the same conclusion too. Thanks for the info!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!