Configure the Windows User-ID Agent as a Syslog Listener
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure the Windows User-ID Agent as a Syslog Listener
To configure the Windows-based User-ID agent
to create new user mappings and remove outdated mappings through
syslog monitoring, start by defining Syslog Parse profiles. The
User-ID agent uses the profiles to find login and logout events
in syslog messages. In environments where syslog senders (the
network services that authenticate users) deliver syslog messages
in different formats, configure a profile for each syslog format.
Syslog messages must meet certain criteria for a User-ID agent to
parse them (see Syslog). This
procedure uses examples with the following formats:
- Login events—[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1 Source:192.168.3.212
- Logout events—[Tue Jul 5 13:18:05 2016 CDT] User logout successful User:johndoe1 Source:192.168.3.212
After
configuring the Syslog Parse profiles, you specify the syslog senders
that the User-ID agent monitors.
The
Windows User-ID agent accepts syslogs over TCP and UDP only. However,
you must use caution when using UDP to receive syslog messages because
it is an unreliable protocol and as such there is no way to verify
that a message was sent from a trusted syslog sender. Although you
can restrict syslog messages to specific source IP addresses, an
attacker can still spoof the IP address, potentially allowing the
injection of unauthorized syslog messages into the firewall. As
a best practice, use TCP instead of UDP. In either case, make sure
that the syslog sender and client are both on a dedicated, secure
VLAN to prevent untrusted hosts from sending syslogs to the User-ID
agent.
- Deploy the Windows-based User-ID agents if you haven’t already.
- Define custom Syslog Parse profiles to create and delete
user mappings.Each profile filters syslog messages to identify either login events (to create user mappings) or logout events (to delete mappings), but no single profile can do both.
- Review the syslog messages that the syslog
sender generates to identify the syntax for login and logout events.
This enables you to define the matching patterns when creating Syslog
Parse profiles.While reviewing syslog messages, also determine whether they include the domain name. If they don’t, and your user mappings require domain names, enter the Default Domain Name when defining the syslog senders that the User-ID agent monitors (later in this procedure).
- Open the Windows Start menu and select User-ID Agent.
- Select User IdentificationSetup and Edit the Setup.
- Select Syslog, Enable Syslog Service, and Add a Syslog Parse profile.
- Enter a Profile Name and Description.
- Select the Type of parsing
to find login and logout events in syslog messages:
- Regex—Regular expressions.
- Field—Text strings.
The following steps describe how to configure these parsing types.
- Review the syslog messages that the syslog
sender generates to identify the syntax for login and logout events.
This enables you to define the matching patterns when creating Syslog
Parse profiles.
- (Regex parsing only) Define the regex matching
patterns.If the syslog message contains a standalone space or tab as a delimiter, use \s for a space and \t for a tab.
- Enter the Event Regex for
the type of events you want to find:
- Login events—For the example message, the regex (authentication\ success){1} extracts the first {1} instance of the string authentication success.
- Logout events—For the example message, the regex (logout\ successful){1} extracts the first {1} instance of the string logout successful.
The backslash before the space is a standard regex escape character that instructs the regex engine not to treat the space as a special character. - Enter the Username Regex to
identify the start of the username.In the example message, the regex User:([a-zA-Z0-9\\\._]+) matches the string User:johndoe1 and identifies johndoe1 as the username.
- Enter the Address Regex to
identify the IP address portion of syslog messages.In the example message, the regular expression Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) matches the IPv4 address Source:192.168.3.212.The following is an example of a completed Syslog Parse profile that uses regex to identify login events:
- Click OK twice to save the profile.
- Enter the Event Regex for
the type of events you want to find:
- (Field Identifier parsing only) Define string
matching patterns.
- Enter an Event String to
identify the type of events you want to find.
- Login events—For the example message, the string authentication success identifies login events.
- Logout events—For the example message, the string logout successful identifies logout events.
- Enter a Username Prefix to
identify the start of the username field in syslog messages. The
field does not support regex expressions such as \s (for a space)
or \t (for a tab).In the example messages, User: identifies the start of the username field.
- Enter the Username Delimiter that indicates the end of the username field in syslog messages. Use \s to indicate a standalone space (as in the sample message) and \t to indicate a tab.
- Enter an Address Prefix to
identify the start of the IP address field in syslog messages. The
field does not support regex expressions such as \s (for a space)
or \t (for a tab).In the example messages, Source: identifies the start of the address field.
- Enter the Address Delimiter that
indicates the end of the IP address field in syslog messages.For example, enter \n to indicate the delimiter is a line break.The following is an example of a completed Syslog Parse profile that uses string matching to identify login events:
- Click OK twice to save the profile.
- Enter an Event String to
identify the type of events you want to find.
- Specify the syslog senders that the User-ID agent monitors.Within the total maximum of 100 servers of all types that the User-ID agent can monitor, up to 50 can be syslog senders.The User-ID agent discards any syslog messages received from senders that are not on this list.
- Select User IdentificationDiscovery and Add an entry to the Servers list.
- Enter a Name to identify the sender.
- Enter the Server Address of the syslog sender (IP address or FQDN).
- Set the Server Type to Syslog Sender.
- (Optional) If you want to override the current domain in the username of your syslog message or prepend the domain to the username if your syslog message doesn’t contain a domain, enter a Default Domain Name.
- For each syslog format that the sender supports, Add a Syslog Parse profile to the Filter list. Select the Event Type that you configured each profile to identify—login (default) or logout—and then click OK.
- Click OK to save the settings.
- Commit your changes to the User-ID agent configuration.
- Verify that the User-ID agent adds and deletes user mappings
when users log in and out.You can use CLI commands to see additional information about syslog senders, syslog messages, and user mappings.
- Log in to a client system for which a monitored syslog sender generates login and logout event messages.
- Verify that the User-ID agent mapped the login username
to the client IP address:
- In the User-ID agent, select Monitoring.
- Enter the username or IP address in the filter field, Search, and verify that the list displays the mapping.
- Verify that the firewall received the user mapping
from the User-ID agent:
- Run the following command:
> show user ip-user-mapping ip <ip-address>
If the firewall received the user mapping, the output resembles the following:IP address: 192.0.2.1 (vsys1) User: localdomain\username From: SYSLOG
- Log out of the client system.
- Verify that the User-ID agent removed the user mapping:
- In the User-ID agent, select Monitoring.
- Enter the username or IP address in the filter field, Search, and verify that the list does not display the mapping.
- Verify that the firewall deleted the user mapping:
- Access the firewall CLI.
- Run the following command:
> show user ip-user-mapping ip <ip-address>
If the firewall deleted the user mapping, the output displays:No matched record