Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

by smalayappan on ‎12-16-2014 11:43 AM - edited on ‎08-02-2016 12:06 AM by (37,445 Views)


This document describes how to configure User-ID Agent to get User-IP mapping from the Cisco Wireless controller.



Shown below is a typical example of a syslog from the wireless controller. The bolded fields is the information that will be extracted from the syslog for a successful User-IP mapping when connecting from the Cisco Wireless controller.

9    28.211036    Syslog    425    LOCAL7.DEBUG: community=Test_Syslog, enterprise=, uptime=384972600, agent_ip=, version=Ver2, cldcClientMacAddress.0=+;\273t\260\313, cLApName.0=ap-gl-01, cldcApMacAddress.0="Hex String=40 F4 EC 12 3A 40",, cldcClientIPAddress.0=,,


The screenshot below explains how to parse this information and extract the needed details. A Field Identifier is being used instead of Regex



Some versions of Cisco WLC might be sending a slightly different syslog message than the one mentioned above. If your Cisco WLC syslog format looks like the one pasted below (specifically note the highlighted string that holds the IP address of the user) then a different string needs to be configured for the “Address Prefix” value.


07-29-2016      11:32:34        Local7.Debug      community=PA_TEST31, enterprise=, uptime=1163840600, agent_ip=, version=Ver2,"Hex String=44 00 10 2D CC 2D",,,,,\user.name1,


Use the string in the “Address Prefix” field. See below screenshot for details.


Note that trailing spaces can cause problems in parsing the syslog message. When pasting the text into the “Syslog Parse Profile” window, make sure to delete all spaces at the end of the string.  






Note:  Make sure the Syslog listener is on the interface that is expected to reach the device. Cisco WLC native Syslog messages do not contain authentication information, so User-ID mappings cannot be derived from them. Cisco WLC generates SNMP Traps that do contain this information. The SNMP Trap must be converted into a Syslog message. To achieve this, please follow document: Cisco WLC - Palo Alto Networks config guide.pdf


owner: smalayappan

by baris_acik
on ‎01-15-2015 10:22 PM


What is the model number of the WLC that you get the syslogs above? We are using Cisco WLC 2504 and authentication information is in snmp trap logs, not in syslog. So I am unable to send the logs to paloalto firewall in order to be parsed.

by smalayappan
on ‎01-18-2015 02:38 PM

I don't remember the model on top of my head, however if you can send me the snapshot of the snmp trap message I will try to create  parser for you.

by stevenmills77
on ‎01-18-2015 11:19 PM

I have the same issue, the example message shown looks like it is from an SNMP trap generated by the Cisco WLC not a syslog message, there doesn't appear to be a syslog message that contains both the username and IP address. Do I need to use a third party application to convert SNMP traps to Syslog for this to work?

by bartoq
on ‎01-20-2015 03:20 AM

You can find a more detailed config guide from here Cisco Wireless LAN Controller Palo Alto Networks Config Guide

you need a method to convert SNMP traps to syslog. in this example I am using Kiwi Syslogd server, but you can use any syslog server that capable of converting SNMP to syslog

by f.giraud
on ‎06-23-2015 07:23 AM


I receive the account name of the user but not the ip address of the user in the snmp trap.

Any idea (Cisco WLC 8.0).

by JeffryTanudjaja
‎10-22-2015 07:07 PM - edited ‎10-22-2015 07:07 PM

You need to ensure your WLC is sending authentication and/or association (CMIIW)


Go to Management >> SNMP >> SNMP Trap Controls >> client


Screen Shot 2015-10-23 at 1.05.06 pm.png

by mhume
on ‎12-30-2015 09:39 AM



I am having the same problem as f_giraud .  When i look at the snmp traps coming in on Kiwi syslog... I don't see a cldcClientIPAddress.0=.  I am running 8.1 code on the cisco WLC.  I have been at this a while now trying to get this setup properly and I can only assume that this is my issue at this point. 

by Quinton
on ‎01-11-2016 08:29 AM

It would be great if Palo could add SNMP traps to their user-ID listerner. Then you could send the client association SNMP traps from the Cisco WLC directly to PAN for parsing.


on ‎06-29-2016 03:18 AM

Hello, the field for the " ip address prefix" may be an SNMP OID not an alphanumeric value, see image attached. 



Our Cisco WLC was using  firmware  and worked well with PANOS 7.0.6. 


When we used the "ddcclientipaddress" prefix in our environment it didn't work at all, so changing it to SNMP OID solved the issue with user id to ip address mapping via syslog.

by smisra
on ‎08-15-2016 05:49 PM

Issue: UIA Agent not receving user-ip mapping information, though pcaps shows that syslog messages are received from Cisco WLC on Kiwi server. Also, entering same infromation of the username, the IP address, the delimiters and the 'Event String' as in pcap under Setup > Syslog Parse Profile > Field Identifier.


Solution: We see error ''Received a message on UDP listening socket from... But no matching syslog server config...'' in logs.


Added Sysylog Server IP and Profile under UIA Agent > Discover tab. Commit the changes. Restart User ID Agent. 

by Febin
on ‎09-25-2016 02:08 AM

Cisco WLC native Syslog messages do not contain authentication information, so User-ID mappings cannot be derived from them. Cisco WLC generates SNMP Traps that do contain this information. Inorder to convert SNMP traps to SYSLOG Message please apply the below commands in Cisco Wireless LAN Controller and send SYSLOG directly to Palo Alto firewall.


(Cisco Controller) >config logging syslog facility client associate

(Cisco Controller) >config logging syslog facility client authentication

by Networker2b
on ‎11-21-2016 11:36 PM


Can anybody help me please regarding this problem.I have Cisco WLC 5508 , tried a number of times but failed.My traps is showing only username and missing ip address.



‎12-07-2016 11:40 AM - edited ‎12-07-2016 09:26 PM

@Febin  Many thanks for the tips! During years nobody has found this options because everybody was taking the Palo Alto information as engraved in the marble 😜.

by Vovale
on ‎02-08-2017 12:32 PM

Im working currently with WLC 2504 running version I run these commands on my controller as @Febin recommended:

config logging syslog facility client authentication

config logging syslog facility client associate


I can see now logs like these:

WLC_NAME: *Dot1x_NW_MsgTask_2: Feb 08 14:38:49.791: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:18:65:90:48:e0:3a Base Radio MAC:0c:68:03:2c:fc:d0 Slot:1 User Name:MYUSERNAME Ip Address: SSID:MYSSID


But i cant configure the filter on Paloalto to identify the user.

Any help willl be appriciated 

by steven.pompy
on ‎08-06-2017 05:05 PM

This worked for me.


Username regex: User Name:([a-zA-Z0-9\\\._]+)
IP address regex ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

by Vovale
‎08-06-2017 11:11 PM - edited ‎08-06-2017 11:11 PM

Thanks for the relay, already found a solution:

Event Regex: Client Authenticated:

Username Regex: User Name:(?:mydomain\\|MYDOMAIN\\)?(?!unknown|mydomain\\unknown|host\\)([A-Za-z0-9\.@\-\_]+)

Address Regex: Ip Address:([0-9a-f\.\:]+)


I had some unknow users and it was mapped as "unknonw" so i excluded it, i addtional i had some issue with mapping users like mydomain\username so i added a fix to regex to exclude the mydomain and take only the username as the PaloAlto addint the domain. 

Ignite 2018
Ask Questions Get Answers Join the Live Community