Want to learn more about the best ways to use syslogs
to associate users with authentication events that originate from
many different types of sources?
Palo Alto Networks firewalls can parse Syslog
messages to obtain IP address-to-username mappings. You can use
authentication events from existing network services and devices
such as third-party VPN solutions, Network Access Control (NAC)
solutions, or Security Information and Event Management (SIEM) systems
using Syslog messages. To keep user mappings current, you can also
configure the firewall to parse syslog messages for logout events
to automatically delete obsolete mappings.
Plan User-ID Best Practices for Syslog Monitoring Deployment
Review the formats
that the syslog senders use to determine what syntax they use, if
they include domain names, and that they meet the criteria.
Determine if you want to monitor logon events, logout events,
or both. If you want to monitor logout events, verify that the syslog
sender includes both the IP address and username in the message.
Based on the syslog messages, determine whether you need to
use regex or field identifiers. If the syslog message is consistent
and predictable, use field identifiers. If the message is more complex
and less predictable, use regex.
Plan to deploy Syslog Monitoring using the PAN-OS integrated
User-ID agent on the firewall and not the Windows User-ID Agent.
Deploy Syslog Monitoring Using Best Practices for User-ID
If the syslog
senders use different formats, configure a Syslog Parse profile
for each format.
If you want to monitor both login and logout events, configure
a Syslog Parse profile for each event type.
Allow matching usernames without domains
the syslog messages don’t include the domain name and usernames
are unique across all domains.
On the PAN-OS integrated User-ID agent, always use SSL to listen
for syslog messages because the traffic is encrypted. Because UDP
sends the traffic in cleartext, if you must use UDP, make sure that
the syslog sender and client are both on a dedicated, secure network
to prevent untrusted hosts from sending UDP traffic to the firewall.
Verify that all the syslog senders you want to monitor are included
as entries in the Server Monitoring list because the firewall ignores
any syslog messages from senders that are not in this list.
Order the entries in the Filter List in the order of the most
likely match. For example, if you think 80% of the syslog messages
will match filter1 and 20% will match filter2, then make sure filter1
precedes filter2 in the list.
Use Syslog Monitoring Post-Deployment Best Practices for
the syslog messages match the Syslog Parse profiles and that the
firewall receives the IP address-to-username mapping from the syslog messages.
show user server-monitor statistics
CLI command to validate
that the firewall receives the messages from the syslog senders
and maps the users correctly.