Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Reply
L2 Linker

Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Hi Guys,

Just wondering if there is any documentation for verifying the syntax in PA-500 that is configured correctly to identify UserID data from a Cisco 3850 Intergrated WLD via a dedicated Syslog server.

Cisco 3850 uses the IOS-XE platform.

syslog parameters.png

Thanks,

Cheers,

Mel

Tags (1)
Highlighted
L2 Linker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Hi,

Can anyone please help to point me to the right direction?

Thanks,

Highlighted
L2 Linker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Could you past the syslogs event to get better idea about the strings ?

And give a try for "Field Identifier" which is easier than regex.

Thanks

Highlighted
L2 Linker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Hi Jthakur,

Thanks for your reply.

Please find a sample of the data

Feb 27 16:18:52 syslog1 snmptrapd[2559]: 2015-02-27 16:18:52 10.5.80.1(via UDP: [10.5.80.1]:1028->[10.5.80.47]:162) TRAP, SNMP v1, community public#012#011iso.3.6.1.4.1.14179.2.6.3 Enterprise Specific Trap (53) Uptime: 78 days, 7:24:55.14#012#011iso.3.6.1.4.1.14179.2.6.2.35.0 = Hex-STRING: F8 4F 57 A4 C2 B0 #011iso.3.6.1.4.1.14179.2.6.2.36.0 = INTEGER: 0#011iso.3.6.1.4.1.14179.2.6.2.43.0 = IpAddress: 10.5.185.5#011iso.3.6.1.4.1.14179.2.6.2.34.0 = Hex-STRING: D8 96 95 11 3D 8F #011iso.3.6.1.4.1.14179.2.6.2.39.0 = STRING: "sarah.harris"#011iso.3.6.1.4.1.14179.2.2.1.1.3.6.248.79.87.164.194.176 = STRING: "WAP-001”

We have used the document https://live.paloaltonetworks.com/docs/DOC-8771

However,the date output is completely different between the WLC5500 and 3850. Is there any other document we can refer to?

Thanks,

Cheers,

Mel

Highlighted
L2 Linker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Your regex appears to be correct. But I am not sure how PAN is interpreting #012 and #011. #011 is HT and #012 is LF in ASCII.

Below is a command used to test regex for syslog.


debug user-id test user-id-syslog-parse regex-identifier event-regex "Enterprise Specific Trap" username-regex "3.6.1.4.1.14179.2.6.2.39.0 = STRING: "  address-regex "IpAddress: " log-string "syslog string".

For "Field Identifier" you can try below example strings.

Event String ->  Enterprise Specific Trap

Username Prefix ->  3.6.1.4.1.14179.2.6.2.39.0 = STRING:

Username Delimiter -> \s

Address Prefix -> 3.6.1.4.1.14179.2.6.2.43.0 = IpAddress:

Address Delimiter -> \s

Try to replace \s with #011 if above delimiter doesn't work.

Thanks

Highlighted
L2 Linker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Hi Jthakur,

Thank you for your suggestions. But there is still no success from our end.

Please find our amended config using Field Identifier rather than Regex, in addition another SNMP trap from our test machine.


Mar  4 13:00:27 syslog1 snmptrapd[2559]: 2015-03-04 13:00:27 10.5.80.1(via UDP: [10.5.80.1]:1028->[10.5.80.47]:162) TRAP, SNMP v1, community public#012#011iso.3.6.1.4.1.14179.2.6.3 Enterprise Specific Trap (53) Uptime: 83 days, 4:06:36.07#012#011iso.3.6.1.4.1.14179.2.6.2.35.0 = Hex-STRING: F8 4F 57 A4 C2 B0 #011iso.3.6.1.4.1.14179.2.6.2.36.0 = INTEGER: 0#011iso.3.6.1.4.1.14179.2.6.2.43.0 = IpAddress: 10.5.185.2#011iso.3.6.1.4.1.14179.2.6.2.34.0 = Hex-STRING: E4 CE 8F 5B A5 54 #011iso.3.6.1.4.1.14179.2.6.2.39.0 = STRING: "test.staff"#011iso.3.6.1.4.1.14179.2.2.1.1.3.6.248.79.87.164.194.176 = STRING: "WAP-001”


Doing a TCP dump, we can certainly verify that the PAN is receiving the messages.


Is there any debugging commands we can use on the PAN to see whether the device is interpreting the messages correctly?

We can see the below output from our PAN:

Proxy: syslog1(vsys: vsys1)     Host: syslog1(10.5.80.47)

        number of log messages                            : 75255

        number of auth. success messages                  : 0

kris.kopicki@gw> show user server-monitor state syslog1

        UDP Syslog Listener Service is enabled

        SSL Syslog Listener Service is enabled

Proxy: syslog1(vsys: vsys1)     Host: syslog1(10.5.80.47)

        number of log messages                            : 75259

        number of auth. success messages                  : 0

Have you got any suggestions? Should we open a support case for this?

Thanks in advance.

Cheers,

Mel

Highlighted
L2 Linker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Hi Mel,

I used the debug user-id command for syslog strings given as example in below and it it worked fine.

How to Configure a Custom Syslog Sender and Test User Mappings

> debug user-id test user-id-syslog-parse field-identifier event-string "User Authentication Successful:" username-prefix "username=" username-delimiter "\s" address-prefix "IP=" address-delimiter "\s" log-string "2013-03-20 12:56:53 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10> User Authentication Successful: username=ilija MAC=78:f5:fd:dd:ff:90 IP=10.200.27.67"

Field parsing successful, Username 'ilija', Address '10.200.27.67'

Which syslog server you are using? Can it convert snmp trap to syslog format? I did some research and found this link and I hope it is helpful in  fixing the problem.

Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

Please check the above two links and if still no success, then you can open a case with support.

Thanks

Highlighted
L3 Networker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

For "Field Identifier" I use the following strings:


Username Prefix ->  cldcClientUsername.0=

Username Delimiter -> ,

Address Prefix -> cldcClientIPAddress.0=

Address Delimiter -> ,

Highlighted
L2 Linker

Re: Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Please can you help me with Cisco iOS XE configuration how to send the snmp traps (or syslog) to kiwi syslog or the firewall?

I mean what is the commands in Cisco iOS that generate client IP addressa and username (like aa accounting, radius-server and snmp-server commands)

 

Sorry I don't have much experiance with cisco on this manner.

 

Mike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!