Your environment might have existing network services
that authenticate users. These services include wireless controllers,
802.1x devices, Apple Open Directory servers, proxy servers, and
other Network Access Control (NAC) mechanisms. You can configure
these services to send syslog messages and configure the User-ID
agent to parse the messages for login events. The agent then maps
IP addresses to usernames based on the login events.
Both the PAN-OS integrated User-ID agent and Windows-based User-ID
agent use Syslog Parse profiles to parse syslog messages. In environments
where services send the messages in different formats, you can create
a custom profile for each format. If you use the PAN-OS integrated
User-ID agent, you can also use predefined Syslog Parse profiles
that Palo Alto Networks provides through Applications content updates.
Syslog messages must meet the following criteria for a User-ID
agent to parse them:
Each message must be a single-line text string. The allowed
delimiters for line breaks are a new line (\n) or a carriage return
plus a new line (\r\n).
The maximum size for individual messages is 2,048 bytes.
Messages sent over UDP must be contained in a single packet;
messages sent over SSL can span multiple packets. A single packet
might contain multiple messages.