- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-06-2018 03:07 AM
Hello
Syslog server is sending logs to firewall for user-ID parsing.
1- How can I verify that logs are receiving on firewall?
2- How can I test, my custom parser is working to identify the user/ip mapping?
07-08-2018 03:17 AM
I'm not sure that the firewall really has a built in way of testing a parser outside of simply seeing if you are getting the syslog messages and seeing if they are mapping any of the users. Since the parser is telling the firewall how to read the logs there really isn't a way to 'test' this as your telling it what the actual message even says.
Things to keep in mind when using Syslog over SSL
- Each syslog message must be a single line text string. Line breaks are delimited by a carriage return and a new line (\r\n) or a new line (\n). So essentially yes you would fully expect the username and the IP in different lines of the log, that's perfectly fine and what you need to get this to work.
- The maximum allowed bytes is 2048 for any one message, so make sure you aren't surpassing that as the messages would get dropped.
07-06-2018 05:48 AM
For both of your questions, you can check the Monitor -> User-ID logs, filtering for the datasource of your syslog sender.
If the parse filter is set up correcltly, you should see the usernames being correctly popualted in the "username" column as opposed to some string you don't want like a MAC address or something else wrong entirely.
Thanks,
Luke.
07-06-2018 08:05 AM
@LukeBullimore Thanks but when I am running below command, I am seeing 'number of auth success messages 0)
admin@PA-5050> show user server-monitor state Syslog2
UDP Syslog Listener Service is enabled
SSL Syslog Listener Service is disabled
Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41)
number of log messages : 6
number of auth. success messages : 0
Also, I am not able to see any user-ip mapping from syslog (even if it is wrong). So means messages are comming from syslog but parser should give me correct or wrong username/ip mapping?
07-06-2018 05:51 PM
Currect. You've recorded 6 messages from that host but your custom parser didn't actually succesfully map the UID for whatever reason.
07-06-2018 11:38 PM
@BPry thanks. Is there any way to troubleshoot that my custom parser is matching (any CLI comamnd in firewall) or if my custom parser is not matching, then how can I troubleshoot this?
Also from syslog, I noticed that username is in different line of log and IP is in different line of log? Does multiline matching is supported with syslog or I have to use SSL?
07-08-2018 03:17 AM
I'm not sure that the firewall really has a built in way of testing a parser outside of simply seeing if you are getting the syslog messages and seeing if they are mapping any of the users. Since the parser is telling the firewall how to read the logs there really isn't a way to 'test' this as your telling it what the actual message even says.
Things to keep in mind when using Syslog over SSL
- Each syslog message must be a single line text string. Line breaks are delimited by a carriage return and a new line (\r\n) or a new line (\n). So essentially yes you would fully expect the username and the IP in different lines of the log, that's perfectly fine and what you need to get this to work.
- The maximum allowed bytes is 2048 for any one message, so make sure you aren't surpassing that as the messages would get dropped.
07-08-2018 01:39 PM
To test your regex string you can use one of the online test tools. My favourite one is this one here: https://regex101.com
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!