End-of-Life (EoL)

Configure the Integrated User-ID Agent as a Syslog Listener

To configure the PAN-OS Integrated User-ID agent to create new user mappings based on syslog monitoring, start by defining Syslog Parse profiles. The User-ID agent uses the profiles to find login events in syslog messages. In environments where
syslog senders
(the network services that authenticate users) deliver syslog messages in different formats, configure a profile for each syslog format. Syslog messages must meet certain criteria for a User-ID agent to parse them (see Syslog). This procedure uses examples with the following format:
[Tue Jul 5 13:15:04 2016 CDT] Administrator authentication success User:johndoe1 Source:192.168.3.212
After configuring the Syslog Parse profiles, you specify syslog senders for the User-ID agent to monitor.
The PAN-OS integrated User-ID agent accepts syslogs over SSL and UDP only. However, you must use caution when using UDP to receive syslog messages because it is an unreliable protocol and as such there is no way to verify that a message was sent from a trusted syslog server. Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall. As a best practice, always use SSL to listen for syslog messages. However, if you must use UDP, make sure that the syslog server and client are both on a dedicated, secure VLAN to prevent untrusted hosts from sending UDP traffic to the firewall.
  1. Determine whether there is a predefined Syslog Parse profile for your particular syslog senders.
    Palo Alto Networks provides several predefined profiles through Application content updates. The predefined profiles are global to the firewall, whereas custom profiles apply to a single virtual system only.
    Any new Syslog Parse profiles in a given content release is documented in the corresponding release note along with the specific regex used to define the filter.
    1. Install the latest Applications or Applications and Threats update:
      1. Select
        Device
        Dynamic Updates
        and
        Check Now
        .
      2. Download
        and
        Install
        any new update.
    2. Determine which predefined Syslog Parse profiles are available:
      1. Select
        Device
        User Identification
        User Mapping
        and click
        Add
        in the Server Monitoring section.
      2. Set the
        Type
        to
        Syslog Sender
        and click
        Add
        in the Filter section. If the Syslog Parse profile you need is available, skip the steps for defining custom profiles.
  2. Define custom Syslog Parse profiles to extract IP address-to-username mapping information from syslog messages.
    1. Review the syslog messages that the syslog sender generates to identify the syntax for successful login events. This enables you to define the matching patterns when creating Syslog Parse profiles.
      While reviewing syslog messages, also determine whether they include the domain name. If they don’t, and your user mappings require domain names, enter the
      Default Domain Name
      when defining the syslog senders that the User-ID agent monitors (later in this procedure).
    2. Select
      Device
      User Identification
      User Mapping
      and edit the Palo Alto Networks User-ID Agent Setup.
    3. Select
      Syslog Filters
      and
      Add
      a Syslog Parse profile.
    4. Enter a name to identify the
      Syslog Parse Profile
      .
    5. Specify the
      Type
      of parsing to extract user mapping information:
      • Regex Identifier
        —Regular expressions.
      • Field Identifier
        —Text strings.
      The following steps describe how to configure these parsing types.
  3. (Regex Identifier parsing only)
    Define the regex matching patterns.
    If the syslog message contains a standalone space or tab as a delimiter, use
    \s
    for a space and
    \t
    for a tab.
    1. Enter the
      Event Regex
      for the type of events you want to find.
      For the example message, the regex
      (authentication\ success){1}
      extracts the first
      {1}
      instance of the string
      authenticationsuccess
      . The backslash (\) before the space is a standard regex escape character that instructs the regex engine not to treat the space as a special character.
    2. Enter the
      Username Regex
      to identify the start of the username.
      In the example message, the regex
      User:([a-zA-Z0-9\\\._]+)
      matches the string
      User:johndoe1
      and identifies
      johndoe1
      as the username.
    3. Enter the
      Address Regex
      to identify the IP address portion of syslog messages.
      In the example message, the regular expression
      Source:([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
      matches the IPv4 address
      Source:192.168.3.212
      .
      The following is an example of a completed Syslog Parse profile that uses regex:
      syslog_parse_profile_regex_login.png
    4. Click
      OK
      twice to save the profile.
  4. (Field Identifier parsing only)
    Define string matching patterns.
    1. Enter an
      Event String
      to identify successful login events.
      For the example message, the string
      authentication success
      identifies login events.
    2. Enter a
      Username Prefix
      to identify the start of the username field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab).
      In the example messages,
      User:
      identifies the start of the username field.
    3. Enter the
      Username Delimiter
      that indicates the end of the username field in syslog messages. Use
      \s
      to indicate a standalone space (as in the sample message) and
      \t
      to indicate a tab.
    4. Enter an
      Address Prefix
      to identify the start of the IP address field in syslog messages. The field does not support regex expressions such as \s (for a space) or \t (for a tab).
      In the example messages,
      Source:
      identifies the start of the address field.
    5. Enter the
      Address Delimiter
      that indicates the end of the IP address field in syslog messages.
      For example, enter
      \n
      to indicate the delimiter is a line break.
      The following is an example of a completed Syslog Parse profile that uses string matching:
      syslog_parse_profile_field-id_login.png
    6. Click
      OK
      twice to save the profile.
  5. Specify the syslog senders that the firewall monitors.
    Within the total maximum of 100 monitored servers per firewall, you can define no more than 50 syslog senders for any single virtual system.
    The firewall discards any syslog messages received from senders that are not on this list.
    1. Select
      Device
      User Identification
      User Mapping
      and
      Add
      an entry to the Server Monitoring list.
    2. Enter a
      Name
      to identify the sender.
    3. Make sure the sender profile is
      Enabled
      (default is enabled).
    4. Set the
      Type
      to
      Syslog Sender
      .
    5. Enter the
      Network Address
      of the syslog sender (IP address or FQDN).
    6. Select a custom or predefined Syslog Parse profile as a
      Filter
      .
    7. Select
      UDP
      or
      SSL
      (default) as the
      Connection Type
      .
      Use caution when using UDP to receive syslog messages because it is an unreliable protocol and as such there is no way to verify that a message was sent from a trusted syslog server. Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall. As a best practice, always use SSL to listen for syslog messages when using agentless User Mapping on a firewall. However, if you must use UDP, make sure that the syslog server and client are both on a dedicated, secure VLAN to prevent untrusted hosts from sending UDP traffic to the firewall.
      A syslog server using SSL to connect will show a Status of Connected only when there is an active SSL connection. Syslog servers using UDP will not show a Status value.
    8. (Optional)
      If the syslog messages don’t contain domain information and your user mappings require domain names, enter a
      Default Domain Name
      to append to the mappings.
    9. Click
      OK
      to save the settings.
  6. Enable syslog listener services in the management profile associated with the interface used for user mapping.
    1. Select
      Network
      Network Profiles
      Interface Mgmt
      and edit an existing Interface Management profile or
      Add
      a new profile.
    2. Select
      User-ID Syslog Listener-SSL
      or
      User-ID Syslog Listener-UDP
      or both, based on the protocols you defined for the syslog senders in the Server Monitoring list.
      The listening ports (514 for UDP and 6514 for SSL) are not configurable; they are enabled through the management service only.
    3. Click
      OK
      to save the interface management profile.
      Even after enabling the User-ID Syslog Listener service on the interface, the interface only accepts syslog connections from senders that have a corresponding entry in the User-ID monitored servers configuration. The firewall discards connections or messages from senders that are not on the list.
    4. Assign the Interface Management profile to the interface that the firewall uses to collect user mappings:
      1. Select
        Network
        Interfaces
        and edit the interface.
      2. Select
        Advanced
        Other info
        , select the Interface
        Management Profile
        you just added, and click
        OK
        .
    5. Commit
      your changes.
  7. Verify the configuration by logging in to the firewall CLI and running the following commands:
    To see the status of a particular syslog sender:
    admin@PA-5050>
    show user server-monitor state Syslog2
            UDP Syslog Listener Service is enabled SSL Syslog Listener Service is enabled Proxy: Syslog2(vsys: vsys1) Host: Syslog2(10.5.204.41) number of log messages : 1000 number of auth. success messages : 1000 number of active connections : 0 total connections made : 4
    To see how many log messages came in from syslog senders and how many entries were successfully mapped:
    admin@PA-5050>
    show user server-monitor statistics
    Directory Servers: Name TYPE Host Vsys Status ----------------------------------------------------------------------------- AD AD 10.2.204.43 vsys1 Connected Syslog Servers: Name Connection Host Vsys Status ----------------------------------------------------------------------------- Syslog1 UDP 10.5.204.40 vsys1 N/A Syslog2 SSL 10.5.204.41 vsys1 Not connected
    To see how many user mappings were discovered through syslog senders:
    admin@PA-5050>
    show user ip-user-mapping all type SYSLOG
    IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- - 192.168.3.8 vsys1 SYSLOG acme\jreddick                    2476 2476 192.168.5.39 vsys1 SYSLOG acme\jdonaldson                  2480 2480 192.168.2.147 vsys1 SYSLOG acme\ccrisp                      2476 2476 192.168.2.175 vsys1 SYSLOG acme\jjaso                       2476 2476 192.168.4.196 vsys1 SYSLOG acme\jblevins                    2480 2480 192.168.4.103 vsys1 SYSLOG acme\bmoss                       2480 2480 192.168.2.193 vsys1 SYSLOG acme\esogard                     2476 2476 192.168.2.119 vsys1 SYSLOG acme\acallaspo                   2476 2476 192.168.3.176 vsys1 SYSLOG acme\jlowrie                     2478 2478 Total: 9 users

Recommended For You