User-ID Best Practices for Syslog Monitoring
Expand all | Collapse all
End-of-Life (EoL)
User-ID Best Practices for Syslog Monitoring
Want to learn more about the best ways to use syslogs
to associate users with authentication events that originate from
many different types of sources?
Next-gen firewalls can parse Syslog log messages
to obtain IP address-to-username mappings. You can use authentication
events from existing network services and devices such as third-party VPN
solution, Network Access Control solution (NACs), or Security Information
and Event Management (SIEMs) using Syslog messages. To keep user
mappings current, you can also configure to parse syslog messages
for logout events so that the firewall automatically deletes outdated
mappings.
Plan User-ID Best Practices for Syslog Monitoring Deployment
Review the formats
that the syslog senders use to determine what syntax they use, if
they include domain names, and that they meet the
criteria.
Determine if you want to monitor logon events, logout events,
or both. If you want to monitor logout events, verify that the syslog
sender includes both the IP address and username in the message.
Based on the syslog messages, determine whether you need to
use regex or field identifiers. If the syslog message is consistent
and predictable, use field identifiers. If the message is more complex
and less predictable, use regex.
Plan to deploy Syslog Monitoring using the PAN-OS integrated
User-ID agent on the firewall and not the Windows User-ID Agent.
Deploy Syslog Monitoring Using Best Practices for User-ID
If the syslog
senders use different formats, configure a Syslog Parse profile
for each format.
If you want to monitor both login and logout events, configure
a Syslog Parse profile for each event type.
Enable
Allow matching usernames without domains
if
the syslog messages don’t include the domain name and usernames
are unique across all domains.
On the PAN-OS integrated User-ID agent, always use SSL to listen
for syslog messages because the traffic is encrypted. Because UDP
sends the traffic in cleartext, if you must use UDP, make sure that
the syslog sender and client are both on a dedicated, secure network
to prevent untrusted hosts from sending UDP traffic to the firewall.
Verify that all the syslog senders you want to monitor are included
as entries in the Server Monitoring list; any syslog messages from
senders that are not in this list are discarded.
Order the entries in the Filter List in the order of the most
likely match. For example, if you think 80% of the syslog messages
will match filter1 and 20% will match filter2, then make sure filter1
precedes filter2 in the list.
Use Syslog Monitoring Post-Deployment Best Practices for
User-ID
Validate that
the syslog messages match the Syslog Parse profiles and that the
firewall receives the IP address-to-username mapping from the syslog
messages.
Use the
show user server-monitor statistics
CLI command to validate
that the firewall receives the messages from the syslog senders
and maps the users correctly