Syslog Data for UserID from Cisco 3850 WLC to Palo Alto PA-500

Could you past the syslogs event to get better idea about the strings ?

And give a try for "Field Identifier" which is easier than regex.

Thanks

Hi Jthakur,

Thanks for your reply.

Please find a sample of the data

Feb 27 16:18:52 syslog1 snmptrapd[2559]: 2015-02-27 16:18:52 10.5.80.1(via UDP: [10.5.80.1]:1028->[10.5.80.47]:162) TRAP, SNMP v1, community public#012#011iso.3.6.1.4.1.14179.2.6.3 Enterprise Specific Trap (53) Uptime: 78 days, 7:24:55.14#012#011iso.3.6.1.4.1.14179.2.6.2.35.0 = Hex-STRING: F8 4F 57 A4 C2 B0 #011iso.3.6.1.4.1.14179.2.6.2.36.0 = INTEGER: 0#011iso.3.6.1.4.1.14179.2.6.2.43.0 = IpAddress: 10.5.185.5#011iso.3.6.1.4.1.14179.2.6.2.34.0 = Hex-STRING: D8 96 95 11 3D 8F #011iso.3.6.1.4.1.14179.2.6.2.39.0 = STRING: "sarah.harris"#011iso.3.6.1.4.1.14179.2.2.1.1.3.6.248.79.87.164.194.176 = STRING: "WAP-001”

We have used the document https://live.paloaltonetworks.com/docs/DOC-8771

However,the date output is completely different between the WLC5500 and 3850. Is there any other document we can refer to?

Thanks,

Cheers,

Mel

Your regex appears to be correct. But I am not sure how PAN is interpreting #012 and #011. #011 is HT and #012 is LF in ASCII.

Below is a command used to test regex for syslog.

debug user-id test user-id-syslog-parse regex-identifier event-regex "Enterprise Specific Trap" username-regex "3.6.1.4.1.14179.2.6.2.39.0 = STRING: "  address-regex "IpAddress: " log-string "syslog string".

For "Field Identifier" you can try below example strings.

Event String ->  Enterprise Specific Trap

Username Prefix ->  3.6.1.4.1.14179.2.6.2.39.0 = STRING:

Username Delimiter -> \s

Address Prefix -> 3.6.1.4.1.14179.2.6.2.43.0 = IpAddress:

Address Delimiter -> \s

Try to replace \s with #011 if above delimiter doesn't work.

Thanks

Hi Jthakur,

Thank you for your suggestions. But there is still no success from our end.

Please find our amended config using Field Identifier rather than Regex, in addition another SNMP trap from our test machine.

Doing a TCP dump, we can certainly verify that the PAN is receiving the messages.

Is there any debugging commands we can use on the PAN to see whether the device is interpreting the messages correctly?

We can see the below output from our PAN:

Proxy: syslog1(vsys: vsys1)     Host: syslog1(10.5.80.47)

        number of log messages                            : 75255

        number of auth. success messages                  : 0

kris.kopicki@gw> show user server-monitor state syslog1

        UDP Syslog Listener Service is enabled

        SSL Syslog Listener Service is enabled

Proxy: syslog1(vsys: vsys1)     Host: syslog1(10.5.80.47)

        number of log messages                            : 75259

        number of auth. success messages                  : 0

Have you got any suggestions? Should we open a support case for this?

Thanks in advance.

Cheers,

Mel

Hi Mel,

I used the debug user-id command for syslog strings given as example in below and it it worked fine.

How to Configure a Custom Syslog Sender and Test User Mappings

> debug user-id test user-id-syslog-parse field-identifier event-string "User Authentication Successful:" username-prefix "username=" username-delimiter "\s" address-prefix "IP=" address-delimiter "\s" log-string "2013-03-20 12:56:53 local4.notice Aruba-Local3 authmgr[1568]: <522008> <NOTI> <Aruba-Local3 10.200.10.10> User Authentication Successful: username=ilija MAC=78:f5:fd:dd:ff:90 IP=10.200.27.67"

Field parsing successful, Username 'ilija', Address '10.200.27.67'

Which syslog server you are using? Can it convert snmp trap to syslog format? I did some research and found this link and I hope it is helpful in  fixing the problem.

Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

Please check the above two links and if still no success, then you can open a case with support.

Thanks