PAN-OS 6.0 introduced the ability to use the Palo Alto Networks firewall and the User-ID Agent as a syslog listener for collecting syslogs from different systems in the network, and to map users to IP addresses. The user to IP mappings could be used in security rules and policies. The version of PAN-OS on the firewall and the version of the User-ID Agent should be at least 6.0.
Note: The version of PAN-OS on the firewall should be the same or higher than the version of User-ID Agent, but preferably the same.
While the firewall has the ability to use predefine filters as a syslog sender on the User-ID agent, the administrator needs to create filters depending on the logs generated by the network system. As a prerequisite to this configuration, it is assumed that the User-ID Agent is connected to the firewall and the user-ip-mappings have been sent to the connected Palo Alto Networks devices.
Knowledge of the syslog sender logs
Knowledge of the IP address of the sender
Knowledge of available ports on the server that can be used for accepting the logs
Knowledge of the domain on which the users are connecting and if using a “domain\” notation when logging in
Decision between using a Field Identifier or a Regex Identifier
Analysis of the logs:
Take a section of the log and try to find the needed fields for user-ip mapping. These fields need to include; the username, the IP address, the delimiters and the 'Event String'. The event string will tell the firewall that a specific user is successfully logged in and that it needs to collect the username and the IP address, and add them in the user-ip-mappings database.
The following syslog example shows a log from an Aruba wireless controller: