Cisco Anyconnect Regex for User-ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cisco Anyconnect Regex for User-ID

L2 Linker

We're using Cisco Anyconnect version 3.1 and are having issues using the syslog user-id receiver in panos 6.1.3. The default syslog profile for cisco anyconnect 1.0 and the regex entriy doesn't correctly interpet the correct user id dhcp assigned IP address. Need help ASAP creating new or correct regex.

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolicy <GroupPolicy_TEST> User <johndoe> IP <1.1.1.1> No IPv6 address available for SVC connection

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-4-722051: Group <GroupPolicy_SWITCHADMIN> User < johndoe> IP <1.1.1.1> IPv4 Address <2.2.2.2> IPv6 address <::> assigned to session

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-5-722033: Group <GroupPolicy_SWITCHADMIN> User < johndoe> IP <1.1.1.1> First TCP SVC connection established for SVC session.

Apr 29 15:31:21 FEGUSLVSSLVPN1 %ASA-6-722022: Group <GroupPolicy_SWITCHADMIN> User < johndoe> IP <1.1.1.1> TCP SVC connection established without compression

Only for event containing  “%ASA-4-722051:”

User should be johndoe

IP should be IPv4 Address 2.2.2.2

4 REPLIES 4

Not applicable

I've been on the phone with support for the last few days and I am having the EXACT same issue.  Same panos and anyconnect version.  I think it has something to do with the regex setting looking at the first ip which should be public but I'm not sure.  I wish I knew regex better.  Someone PLEASE HELP!

L4 Transporter

Hello pnielsen,

Recommend the following setting using Field Identifier instead of Regex in your Syslog Parse Profile.

Should collect information from the logs with matching Event String:"%ASA-4-722051:"  with information needed for UserID.

Only for event containing  “%ASA-4-722051:”

User should be johndoe

IP should be IPv4 Address 2.2.2.2

L2 Linker

I came to the same conclusion too. Thanks for the info!

This solution is work. Thank. 

  • 8533 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!