04-24-2017 07:33 AM
Hi team,
We have the (Cisco & Ruckus) Wireless controllers forwarding SYSLOGS to the User-ID agent running on Windows 2012 server.
We want to use these syslog messages to create user-ip mappings. We tried with several different regex patterns but not having any luck. The UIA keeps showing the log as “- is not a valid IP”. I checked the regex matching at regex101.com as well and it seems to match there.
Sample logs:
*Dot1x_NW_MsgTask_6: Apr 20 14:08:01.947: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:28:5a:eb:44:d3:7e Base Radio MAC:58:97:bd:07:ca:30 Slot:0 User Name:jsimonson Ip Address:10.12.26.42 SSID:PSL-Main
*Dot1x_NW_MsgTask_2: Apr 20 14:08:01.855: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:bc:54:36:e8:76:c2 Base Radio MAC:18:8b:9d:c6:2e:d0 Slot:0 User Name:cmercer Ip Address:10.8.26.57 SSID:PSL-Main
*Dot1x_NW_MsgTask_2: Apr 20 14:08:01.855: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:bc:54:36:e8:76:c2 Base Radio MAC:18:8b:9d:c6:2e:d0 Slot:0 User Name:cmercer Ip Address:10.8.26.57 SSID:PSL-Main
*Dot1x_NW_MsgTask_7: Apr 18 09:29:15.861: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:c8:1e:e7:8b:d5:8f Base Radio MAC:18:8b:9d:f5:08:40 Slot:1 User Name:deanl Ip Address:10.8.26.55 SSID:PSL-Main
Regex filters we tried:
Event Regex: (Client\ Authenticated):{1}
Username Regex: User\ Name:([a-zA-Z0-9.:]+|.+?(@))
Address Regex: Ip\ Address:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
Any advice/suggestion would be highly appreciated.
Thanks and Regards,
Anurag
06-04-2017 11:08 AM
Hi Anurag
Are these log messages spitted into two lines or is this carriage return/new line added because of copy&past from your logs into live community?
If these are two lines in your logs: did you try "(Slot:{d}){1}" for event regex?
It all is on one line: try to simplify the regex string for the IP address to test.
As you said your existing ip regex string looks absolutely correct - may be a bug?
Regards,
Remo
06-05-2017 06:26 AM
I should have updated this. I resolved the issue. The regex we used were fine, the UIA wasn't. We tested and the same regex worked on Agentless, then upgraded the UIA and it worked there too. Turned out 7.x UIA wasn't working correctly in regard to Syslog parsing.
Thanks for your suggestion anyway 🙂
Regards,
Anurag
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
