02-04-2021 08:14 PM - edited 02-04-2021 08:17 PM
If you use PA as DHCP server, you can feed PA DHCP logs back to itself, use hostname or MAC address as username.
Some devices report their hostname while getting IP from DHCP server, some don't. in this case, you have to use MAC address as username.
1. Enable USER-ID syslog listener UDP on management interface.
2. Configure PA to send DHCP lease-start logs to its management interface.
3. Configure Palo Alto Networks User-ID Agent Setup, in the Syslog filters:
Event Regex: DHCP\ lease\ started
Username Regex: hostname\ ([a-zA-Z0-9\\\._-]+)
Address Regex: ip\ ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s
4. Configure Server Monitoring, to monitor itself management interface, apply above syslog filter.
Tested on my PA-VM 10.0.4. My mobile phone reports its hostname as android-xxxxxx
