Your environment might have existing network services
that authenticate users. These services include wireless controllers,
802.1x devices, Apple Open Directory servers, proxy servers, and
other Network Access Control (NAC) mechanisms. You can configure
these services to send syslog messages that contain information
about login and logout events and configure the User-ID agent to
parse those messages. The User-ID agent parses for login events
to map IP addresses to usernames and parses for logout events to
delete outdated mappings. Deleting outdated mappings is particularly
useful in environments where IP address assignments change often.
Both the PAN-OS integrated User-ID agent and Windows-based User-ID
agent use Syslog Parse profiles to parse syslog messages. In environments
where services send the messages in different formats, you can create
a custom profile for each format and associate multiple profiles
with each syslog sender. If you use the PAN-OS integrated User-ID agent,
you can also use predefined Syslog Parse profiles that Palo Alto
Networks provides through Applications content updates.
Syslog messages must meet the following criteria for a User-ID
agent to parse them:
Each message must be a single-line text string. The allowed
delimiters for line breaks are a new line (
or a carriage return plus a new line (
The maximum size for individual messages is 8,000 bytes.
Messages sent over UDP must be contained in a single packet;
messages sent over SSL can span multiple packets. A single packet
might contain multiple messages.