Hi, I just found what seems to be a minor issue with the syslog processing on the Windows Agent which doesn't appear in the agentless processing under PANOS. I have migrated from agentless to a server based agent which is why I spotted this. I have two syslog filters I use, one is based on a regex and the other was a field based one as the messages were a lot simpler. The regex one was working fine when I ported it across but I found that the field based one was messing up my user names. The messages are in the format RadAcct username:xxxx ip:1.2.3.4 So nice and simple. Using "RadAcct" as my event string, "username:" as the user ID, "ip:" as the ID for the ip address and "\s" as the delimiter for both, that worked fine on PANOS. What I found on the windows agent was that the usernames were coming out as ":xxxx ip:1.2.3.4" The IP addresses were being picked out OK, it was just not delimiting the username. I have worked around it by changing it to a regex but I thought you may be interested to know. Cheers
... View more