10-03-2012 11:08 AM
I'm looking for a way to automatically/proactively report on auth-fail system log messages and not finding anything obvious. Some things I've tried;
1. I can send email under log-settings -> system -> informational, but a bit too chatty with all the other messages and only interested in auth failures for VPN connections.
2. I created a filter for ( eventid eq auth-fail ) under log -> system,, and can export it to and excel spread sheet which is what I'm looking for but not automated.
3. I looked in PDF reports -> custom reports -> add, but there is not an option to look at the "system logs" there. This seems like the way to go but does not look possible yet.
Seems like this may be a feature request to add support for system logs. Any other ideas would be greatly appreciated.
10-03-2012 12:00 PM
I think at this time you have possibly tried each and every scenario. I am not sure if this can be achieved using XML API but it is worth giving a try.
Appears to me like a Feature Request.
10-03-2012 12:17 PM
However other than reporting, you can also manage to export logs for informational level only to the syslog server
event-id == auth-fail is of informational severity.
Link to the document:- https://live.paloaltonetworks.com/docs/DOC-3817
Let me know if that helps.
10-03-2012 01:51 PM
Thanks for the feedback. I currently syslog to syslog-ng but looks like long term I will need to forward to splunk and have it do the alerting on and "auth-fail" messages. I will also see the feature request works for the short term.
10-04-2012 12:57 AM
Speaking of auth-fail (and auth-success), is it me or doesnt PA log which account name was fail/success along with client ip who attempted this?
I have already filed this to my support (among some other CEF related questions) but I was thinking if someone in here already have been digging into this?
10-04-2012 09:01 AM
I see all that information in logs;
|4/26/2012 12:26||auth-fail general||informational||User 'xxx' failed authentication. Reason: Invalid username/password From: 10.x.x.x.|
|4/18/2012 15:34||auth-fail general||informational||User 'xxx' failed authentication. Reason: Invalid username/password From: 10.x.x.x.|
10-04-2012 10:53 AM
Hmm, thanks for the reply... then its some error related to CEF (or configuration of it or receiving of it).
05-04-2015 01:52 PM
Since this question was originally asked in 2012, I would *HOPE* some progress has been made on this... I was working with a client today who requested this and I went to write a custom report and was astonished that I couldn't find an easy solution to providing this report. Why would the Configuration and System logs be exempt from the Custom Report builder?!?!? This makes NO SENSE as an end-user. I'm sure there's either a technical reason or a really (really) poor business reason, but either way, this seems like a reasonable and somewhat essential request.
05-04-2015 09:14 PM
I agree, there should be a way to easily do this. The only way I can see that it is possible currently aside from using a SEIM or Kiwi based alert would be to email every Informational log entry. You could selectively send informational logs to a Kiwi server. In Kiwi or SolarWinds it could discard everything but the auth-fail informational messages and alert on those.
It is something built right into several products, including FortiGate firewalls. It would be great if those logs were built into the reporting fuction on the PA.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!