Configure the Windows User-ID Agent as a Syslog Listener
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
End-of-Life (EoL)
Configure the Windows User-ID Agent as a Syslog Listener
To configure the Windows-based User-ID agent
to create new user mappings and remove outdated mappings through
syslog monitoring, start by defining Syslog Parse profiles. The
User-ID agent uses the profiles to find login and logout events
in syslog messages. In environments where syslog senders (the
network services that authenticate users) deliver syslog messages
in different formats, configure a profile for each syslog format.
Syslog messages must meet certain criteria for a User-ID agent to
parse them (see Syslog). This
procedure uses examples with the following formats:
- Login events—[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1 Source:192.168.3.212
- Logout events—[Tue Jul 5 13:18:05 2016 CDT] User logout successful User:johndoe1 Source:192.168.3.212
After
configuring the Syslog Parse profiles, you specify the syslog senders
that the User-ID agent monitors.
The
Windows User-ID agent accepts syslogs over TCP and UDP only. However,
you must use caution when using UDP to receive syslog messages because
it is an unreliable protocol and as such there is no way to verify
that a message was sent from a trusted syslog sender. Although you
can restrict syslog messages to specific source IP addresses, an
attacker can still spoof the IP address, potentially allowing the
injection of unauthorized syslog messages into the firewall. As
a best practice, use TCP instead of UDP. In either case, make sure
that the syslog sender and client are both on a dedicated, secure
VLAN to prevent untrusted hosts from sending syslogs to the User-ID
agent.
- Deploy the Windows-based User-ID agents if you haven’t already.
- Define custom Syslog Parse profiles to create and delete user mappings.Each profile filters syslog messages to identify either login events (to create user mappings) or logout events (to delete mappings), but no single profile can do both.
- Review the syslog messages that the syslog sender generates to identify the syntax for login and logout events. This enables you to define the matching patterns when creating Syslog Parse profiles.While reviewing syslog messages, also determine whether they include the domain name. If they don’t, and your user mappings require domain names, enter theDefault Domain Namewhen defining the syslog senders that the User-ID agent monitors (later in this procedure).
- Open the WindowsStartmenu and selectUser-ID Agent.
- SelectandUser IdentificationSetupEditthe Setup.
- SelectSyslog,Enable Syslog Service, andAdda Syslog Parse profile.
- Enter aProfile NameandDescription.
- Select theTypeof parsing to find login and logout events in syslog messages:
- Regex—Regular expressions.
- Field—Text strings.
The following steps describe how to configure these parsing types.
- (Regex parsing only) Define the regex matching patterns.If the syslog message contains a standalone space or tab as a delimiter, use\sfor a space and\tfor a tab.
- Enter theEvent Regexfor the type of events you want to find:
- Login events—For the example message, the regex(authentication\ success){1}extracts the first{1}instance of the stringauthentication success.
- Logout events—For the example message, the regex(logout\ successful){1}extracts the first{1}instance of the stringlogout successful.
The backslash before the space is a standard regex escape character that instructs the regex engine not to treat the space as a special character. - Enter theUsername Regexto identify the start of the username.In the example message, the regexUser:([a-zA-Z0-9\\\._]+)matches the stringUser:johndoe1and identifiesjohndoe1as the username.
- Enter theAddress Regexto identify the IP address portion of syslog messages.In the example message, the regular expressionSource:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})matches the IPv4 addressSource:192.168.3.212.The following is an example of a completed Syslog Parse profile that uses regex to identify login events:
- ClickOKtwice to save the profile.
- (Field Identifier parsing only) Define string matching patterns.
- Enter anEvent Stringto identify the type of events you want to find.
- Login events—For the example message, the stringauthentication successidentifies login events.
- Logout events—For the example message, the stringlogout successfulidentifies logout events.
- Enter aUsername Prefixto identify the start of the username field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab).In the example messages,User:identifies the start of the username field.
- Enter theUsername Delimiterthat indicates the end of the username field in syslog messages. Use\sto indicate a standalone space (as in the sample message) and\tto indicate a tab.
- Enter anAddress Prefixto identify the start of the IP address field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab).In the example messages,Source:identifies the start of the address field.
- Enter theAddress Delimiterthat indicates the end of the IP address field in syslog messages.For example, enter\nto indicate the delimiter is a line break.The following is an example of a completed Syslog Parse profile that uses string matching to identify login events:
- ClickOKtwice to save the profile.
- Specify the syslog senders that the User-ID agent monitors.Within the total maximum of 100 servers of all types that the User-ID agent can monitor, up to 50 can be syslog senders.The User-ID agent discards any syslog messages received from senders that are not on this list.
- SelectandUser IdentificationDiscoveryAddan entry to the Servers list.
- Enter aNameto identify the sender.
- Enter theServer Addressof the syslog sender (IP address or FQDN).
- Set theServer TypetoSyslog Sender.
- (Optional) If you want to override the current domain in the username of your syslog message or prepend the domain to the username if your syslog message doesn’t contain a domain, enter aDefault Domain Name.
- For each syslog format that the sender supports,Adda Syslog Parse profile to the Filter list. Select theEvent Typethat you configured each profile to identify—login(default) orlogout—and then clickOK.
- ClickOKto save the settings.
- Commityour changes to the User-ID agent configuration.
- Verify that the User-ID agent adds and deletes user mappings when users log in and out.You can use CLI commands to see additional information about syslog senders, syslog messages, and user mappings.
- Log in to a client system for which a monitored syslog sender generates login and logout event messages.
- Verify that the User-ID agent mapped the login username to the client IP address:
- In the User-ID agent, selectMonitoring.
- Enter the username or IP address in the filter field,Search, and verify that the list displays the mapping.
- Verify that the firewall received the user mapping from the User-ID agent:
- Run the following command:>show user ip-user-mapping ip <ip-address>If the firewall received the user mapping, the output resembles the following:IP address: 192.0.2.1 (vsys1) User: localdomain\username From: SYSLOG
- Log out of the client system.
- Verify that the User-ID agent removed the user mapping:
- In the User-ID agent, selectMonitoring.
- Enter the username or IP address in the filter field,Search, and verify that the list does not display the mapping.
- Verify that the firewall deleted the user mapping:
- Access the firewall CLI.
- Run the following command:>show user ip-user-mapping ip <ip-address>If the firewall deleted the user mapping, the output displays:No matched record