Syslog Filters
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Syslog Filters
- DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent SetupSyslog Filters
The User-ID agent uses Syslog Parse profiles to filter syslog messages
sent from the syslog
senders that the agent monitors for IP address-to-username mapping
information (see Configure
Access to Monitored Servers). Each profile can parse syslog
messages for either of the following event types, but not both:
- Authentication (login) events—Used to add user mappings to the firewall.
- Logout events—Used to delete user mappings that are no longer current. Deleting outdated mappings is useful in environments where IP address assignments change often.
Palo Alto Networks provides the firewall with predefined Syslog
Parse profiles through Applications content updates. To dynamically
update the list of profiles as vendors develop new filters, schedule
these dynamic content updates (see Device
> Dynamic Updates). The predefined profiles are global to
the firewall, whereas the custom profiles you configure apply only
to the virtual system (Location) selected
under DeviceUser
IdentificationUser Mapping.
Syslog messages must meet the following criteria for a User-ID
agent to parse them:
- Each message must be a single-line text string. A new line (\n) or a carriage return plus a new line (\r\n) are the delimiters for line breaks.
- The maximum size for individual messages is 8,000 bytes.
- Messages sent over UDP must be contained in a single packet; messages sent over SSL can span multiple packets. A single packet might contain multiple messages.
To configure a custom profile, click Add and
specify the settings described in the following table. The field
descriptions in this table use a login event example from a syslog
message with the following format:
[Tue Jul 5 13:15:04 2005 CDT] Administrator authentication success User:domain\johndoe_4 Source:192.168.0.212
The complete procedure
to configure the
User-ID agent to parse a syslog sender for user mapping information
requires additional tasks besides creating a Syslog Parse profile.
Field | Description |
---|---|
Syslog Parse Profile | Enter a name for the profile (up to 63 alphanumeric characters). |
Description | Enter a description for the profile (up
to 255 alphanumeric characters). |
Type | Specify the type of parsing for filtering
the user mapping information:
The
remaining fields in the dialog vary based on your selection. Configure
the fields as described in the following rows. |
Event Regex | Enter the regex for identifying successful
authentication or logout events. For the example message used with
this table, the regex (authentication\ success) {1} extracts
the first {1} instance of the string authentication success.
The backslash before the space is a standard regex escape character
that instructs the regex engine not to treat the space as a special
character. |
Username Regex | Enter the regex for identifying the username
field in authentication success or logout messages. For the example message
used with this table, the regex User:([a-zA-Z0-9\\\._]+) would match
the string User:johndoe_4 and extract acme\johndoe1
as the username. |
Address Regex | Enter the regex to identify the IP address
portion of authentication success or logout messages. In the example message
used with this table, the regular expression Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) matches
the IPv4 address Source:192.168.0.212 and adds
192.168.0.212 as the IP address in the username mapping. |
Event String | Enter a matching string to identify authentication
success or logout messages. For the example message used with this table,
you would enter the string authentication success. |
Username Prefix | Enter the matching string to identify the
beginning of the username field within authentication or logout
syslog messages. The field does not support regex expressions such
as \s (for a space) or \t (for
a tab). In the example message used with this table, User: identifies
the start of the username field. |
Username Delimiter | Enter the delimiter that marks the end of
the username field within an authentication or logout message. Use
\s to indicate a standalone space (as in the example message) and
\t to indicate a tab. |
Address Prefix | Enter a matching string to identify the
start of the IP address field in syslog messages. The field does
not support regex expressions such as \s (for
a space) or \t (for a tab). In the example message
used with this table, Source: identifies
the start of the address field. |
Address Delimiter | Enter the matching string that marks the
end of the IP address field within authentication success or logout
messages. For example, enter \n to indicate
the delimiter is a line break. |
Addresses Per Log | Enter the maximum number of IP addresses
that you want the firewall to parse (default is 1; range is 1—3). |