End-of-Life (EoL)

Syslog

Your environment might have existing network services that authenticate users. These services include wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, and other Network Access Control (NAC) mechanisms. You can configure these services to send syslog messages and configure the User-ID agent to parse the messages for login events. The agent then maps IP addresses to usernames based on the login events.
Both the PAN-OS integrated User-ID agent and Windows-based User-ID agent use Syslog Parse profiles to parse syslog messages. In environments where services send the messages in different formats, you can create a custom profile for each format. If you use the PAN-OS integrated User-ID agent, you can also use predefined Syslog Parse profiles that Palo Alto Networks provides through Applications content updates.
Syslog messages must meet the following criteria for a User-ID agent to parse them:
  • Each message must be a single-line text string. The allowed delimiters for line breaks are a new line (\n) or a carriage return plus a new line (\r\n).
  • The maximum size for individual messages is 2,048 bytes.
  • Messages sent over UDP must be contained in a single packet; messages sent over SSL can span multiple packets. A single packet might contain multiple messages.
User-ID Integration with Syslog
uid-syslog-sender.png

Recommended For You