Parse rsyslog message

mzharfan · ‎06-10-2017

I want to integrate WLC to Palo-Alto

I've done converting the snmp to syslog using rsyslog

But I don't get how to parse it in palo alto

here 3 syslog messages I got from wireshark when a user tries to login

Jun 10 14:08:37 localhost snmptrapd[10216]: 2017-06-10 14:08:37 <UNKNOWN> [UDP: [172.20.253.50]:32768->[172.20.10.43]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2630000) 7:18:20.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.599.0.4#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.1.0 = Hex-STRING: 60 D8 19 CD 36 11 #011SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP33-Barat"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.0 = Hex-STRING: 00 2C C8 67 33 90 #011SNMPv2-SMI::enterprises.9.9.513.1.2.1.1.1.0 = Gauge32: 0#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.20.40.3#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.27.0 = STRING: "amet"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.28.0 = STRING: "IPC_WIFI_NEW"

Jun 10 14:08:37 localhost snmptrapd[10216]: 2017-06-10 14:08:37 <UNKNOWN> [UDP: [172.20.253.50]:32768->[172.20.10.43]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2630000) 7:18:20.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.599.0.8#011SNMPv2-SMI::enterprises.9.9.513.1.2.1.1.1.0 = Gauge32: 0#011SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0.44.200.103.51.144 = STRING: "AP33-Barat"#011SNMPv2-SMI::enterprises.9.9.599.1.3.2.1.2.0 = INTEGER: 1#011SNMPv2-SMI::enterprises.9.9.599.1.3.2.1.3.0 = Hex-STRING: AC 14 28 03 #011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.27.96.216.25.205.54.17 = STRING: "amet"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.28.96.216.25.205.54.17 = STRING: "IPC_WIFI_NEW"#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.38.96.216.25.205.54.17 = ""#011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.8.96.216.25.205.54.17 = Hex-STRING: 00 2C C8 67 33 90

Jun 10 14:08:37 localhost snmptrapd[10216]: 2017-06-10 14:08:37 <UNKNOWN> [UDP: [172.20.253.50]:32768->[172.20.10.43]:162]:#012DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2630000) 7:18:20.00#011SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.515.0.3#011SNMPv2-SMI::enterprises.9.9.515.1.1.0 = STRING: "amet"#011SNMPv2-SMI::enterprises.9.9.515.2.5.1.1.6.0 = Hex-STRING: 00 2C C8 67 33 90 #011SNMPv2-SMI::enterprises.9.9.515.2.5.1.1.3.0 = Hex-STRING: 60 D8 19 CD 36 11 #011SNMPv2-SMI::enterprises.9.9.599.1.3.1.1.10.0 = IpAddress: 172.20.40.3#011SNMPv2-SMI::enterprises.9.9.513.1.1.1.1.5.0 = STRING: "AP33-Barat"

The user info is

username = amet

IP user = 172.20.40.3

Could you please let me know which is,

- event string

- username prefix

- username delimiter

- address prefix

- address delimiter

Thanks in advance

Remo · ‎06-11-2017

Hi @mzharfan

Is there a user only "trying" to log in or is one of these 3 messages a successful login event? The explanation for these fields you also find here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/configure-user-id-to-monitor...

So for this example I assume the first is a successful login event:

Event string: 9.9.599.1.3.1.1.1.0

Username prefix: .9.9.599.1.3.1.1.27.0 = STRING: "

Username delimiter: "

Address prefix: IpAddress:

Address delimiter: \s

Or the whole thing with regex:

Event regex: (9.9.599.1.3.1.1.1.0){1}

Username regex: \.9\.9\.599\.1\.3\.1\.1\.27\.0\s=\sSTRING:\s"([a-zA-Z0-9\\\._]+)

Address regex: IpAddress:\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

View solution in original post

Remo · ‎06-11-2017

Hi @mzharfan

Is there a user only "trying" to log in or is one of these 3 messages a successful login event? The explanation for these fields you also find here: https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/configure-user-id-to-monitor...

So for this example I assume the first is a successful login event:

Event string: 9.9.599.1.3.1.1.1.0

Username prefix: .9.9.599.1.3.1.1.27.0 = STRING: "

Username delimiter: "

Address prefix: IpAddress:

Address delimiter: \s

Or the whole thing with regex:

Event regex: (9.9.599.1.3.1.1.1.0){1}

Username regex: \.9\.9\.599\.1\.3\.1\.1\.27\.0\s=\sSTRING:\s"([a-zA-Z0-9\\\._]+)

Address regex: IpAddress:\s([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

mzharfan · ‎06-11-2017

all those 3 messages appear when a user login (successfully), I don't know which one is the successful login event

Remo · ‎06-11-2017

In this case, if all 3 messages appear with a succesful login, the proposed solution will probably already work, because these strings will match only the first of the 3 messages.

In your WLC documentation or with the snmp MIB of your WLC you should be able to see which one is the correct one.

Unlock your full community experience!

Parse rsyslog message

Parse rsyslog message

Show your appreciation!