How to test regex for syslog parsing correctly or not for user-ID?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to test regex for syslog parsing correctly or not for user-ID?

L3 Networker

Hello

 

Syslog server is sending logs to firewall for user-ID parsing.

 

1- How can I verify that logs are receiving on firewall?

2- How can I test, my custom parser is working to identify the user/ip mapping?

1 accepted solution

Accepted Solutions

@faizankhurshid,

I'm not sure that the firewall really has a built in way of testing a parser outside of simply seeing if you are getting the syslog messages and seeing if they are mapping any of the users. Since the parser is telling the firewall how to read the logs there really isn't a way to 'test' this as your telling it what the actual message even says. 

 

Things to keep in mind when using Syslog over SSL

Each syslog message must be a single line text string. Line breaks are delimited by a carriage return and a new line (\r\n) or a new line (\n). So essentially yes you would fully expect the username and the IP in different lines of the log, that's perfectly fine and what you need to get this to work.  

- The maximum allowed bytes is 2048 for any one message, so make sure you aren't surpassing that as the messages would get dropped. 

 

 

View solution in original post

6 REPLIES 6

L5 Sessionator

Hi @faizankhurshid

 

For both of your questions, you can check the Monitor -> User-ID logs, filtering for the datasource of your syslog sender.

 

If the parse filter is set up correcltly, you should see the usernames being correctly popualted in the "username" column as opposed to some string you don't want like a MAC address or something else wrong entirely.

 

Thanks,

Luke.

@LukeBullimore Thanks but when I am running  below command, I am seeing 'number of auth success messages 0)

 

admin@PA-5050> show user server-monitor state Syslog2

UDP Syslog Listener Service is enabled

SSL Syslog Listener Service is disabled

Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41)

number of log messages : 6

number of auth. success messages : 0

 

Also, I am not able to see any user-ip mapping from syslog (even if it is wrong). So means messages are comming from syslog but parser should give me correct or wrong username/ip mapping?

@faizankhurshid,

Currect. You've recorded 6 messages from that host but your custom parser didn't actually succesfully map the UID for whatever reason. 

@BPry thanks. Is there any way to troubleshoot that my custom parser is matching (any CLI comamnd in firewall) or if my custom parser is not matching, then how can I troubleshoot this?

Also from syslog, I noticed that username is in different line of log and IP is in different line of log? Does multiline matching is supported with syslog or I have to use SSL?

@faizankhurshid,

I'm not sure that the firewall really has a built in way of testing a parser outside of simply seeing if you are getting the syslog messages and seeing if they are mapping any of the users. Since the parser is telling the firewall how to read the logs there really isn't a way to 'test' this as your telling it what the actual message even says. 

 

Things to keep in mind when using Syslog over SSL

Each syslog message must be a single line text string. Line breaks are delimited by a carriage return and a new line (\r\n) or a new line (\n). So essentially yes you would fully expect the username and the IP in different lines of the log, that's perfectly fine and what you need to get this to work.  

- The maximum allowed bytes is 2048 for any one message, so make sure you aren't surpassing that as the messages would get dropped. 

 

 

L7 Applicator

To test your regex string you can use one of the online test tools. My favourite one is this one here: https://regex101.com

  • 1 accepted solution
  • 7159 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!