User-ID Best Practices for Syslog Monitoring

Want to learn more about the best ways to use syslogs to associate users with authentication events that originate from many different types of sources?
Palo Alto Networks firewalls can parse Syslog messages to obtain IP address-to-username mappings. You can use authentication events from existing network services and devices such as third-party VPN solutions, Network Access Control (NAC) solutions, or Security Information and Event Management (SIEM) systems using Syslog messages. To keep user mappings current, you can also configure the firewall to parse syslog messages for logout events to automatically delete obsolete mappings.

Plan User-ID Best Practices for Syslog Monitoring Deployment

  • Review the formats that the syslog senders use to determine what syntax they use, if they include domain names, and that they meet the criteria.
  • Determine if you want to monitor logon events, logout events, or both. If you want to monitor logout events, verify that the syslog sender includes both the IP address and username in the message.
  • Based on the syslog messages, determine whether you need to use regex or field identifiers. If the syslog message is consistent and predictable, use field identifiers. If the message is more complex and less predictable, use regex.
  • Plan to deploy Syslog Monitoring using the PAN-OS integrated User-ID agent on the firewall and not the Windows User-ID Agent.

Deploy Syslog Monitoring Using Best Practices for User-ID

  • If the syslog senders use different formats, configure a Syslog Parse profile for each format.
  • If you want to monitor both login and logout events, configure a Syslog Parse profile for each event type.
  • Enable
    Allow matching usernames without domains
    if the syslog messages don’t include the domain name and usernames are unique across all domains.
  • On the PAN-OS integrated User-ID agent, always use SSL to listen for syslog messages because the traffic is encrypted. Because UDP sends the traffic in cleartext, if you must use UDP, make sure that the syslog sender and client are both on a dedicated, secure network to prevent untrusted hosts from sending UDP traffic to the firewall.
  • Verify that all the syslog senders you want to monitor are included as entries in the Server Monitoring list because the firewall ignores any syslog messages from senders that are not in this list.
  • Order the entries in the Filter List in the order of the most likely match. For example, if you think 80% of the syslog messages will match filter1 and 20% will match filter2, then make sure filter1 precedes filter2 in the list.

Use Syslog Monitoring Post-Deployment Best Practices for User-ID

  • Validate that the syslog messages match the Syslog Parse profiles and that the firewall receives the IP address-to-username mapping from the syslog messages.
  • Use the
    show user server-monitor statistics
    CLI command to validate that the firewall receives the messages from the syslog senders and maps the users correctly.

Recommended For You