How to Locate Predefined Syslog Filters in PAN-OS

How to Locate Predefined Syslog Filters in PAN-OS

22350
Created On 09/25/18 19:52 PM - Last Modified 06/03/23 03:59 AM


Resolution


PAN-OS 6.0

 

Details

In PAN-OS-6.0, predefined syslog filters is included from version 418 of the delivered Applications and Threats Content. The example screenshot below displays the Device > Dynamic Updates page on the web UI, and shows that version 418 of the contents distribution is currently installed:

Screen Shot 2014-03-06 at 1.49.18 PM.png

 

Palo Alto Networks provides several pre-defined syslog filters and are delivered as application content (which can be scheduled to update dynamically). The pre-defined filters are global to the firewall, whereas manually defined filters apply to a single virtual system only.

Note: The User-ID Agent currently does not have the predefined filters and would need to be manually added.

 

Steps

Locate the predefined syslog filters with the steps below:

  1. Log into the web UI
  2. Go to Device > User Identification > User Mapping
  3. Edit the Palo Alto Networks User-ID Agent Setup section
  4. On the pop-up window that appears, go to the Syslog Filters tab
    Syslog_Filters.png

 

The predefined syslog filters shown in the above screenshot are provided below. Note that the code should not be copied and pasted as xml configuration.

    syslog-parse-profile {

      "Citrix Access Gateway v1.0.0" {

        regex-identifier {

          event-regex SSLVPN\ LOGIN

          username-regex User ([a-zA-Z0-9\_]+)

          address-regex Nat_ip ([A-F0-9a-f:.]+)

        }

      }

      "Aerohive AP v1.0.0" {

        regex-identifier {

          event-regex auth\:

          username-regex username ([a-zA-Z0-9\_]+)

          address-regex ip ([A-F0-9a-f:.]+)

        }

      }

      "Cisco ASA IPSec v1.0.0" {

        regex-identifier {

          event-regex Group <|=

          username-regex (?:User <([a-zA-Z0-9\_]+)IP\s)|(?:Username = ([a-zA-Z0-9\_]+))

          address-regex IP (?:<([A-F0-9a-f:.]+)Address\s)|(?:IP = ([A-F0-9a-f:.]+))

        }

      }

      "Cisco ASA Any Connect v1.0.0" {

        regex-identifier {

          event-regex Group <|=

          username-regex (?:User <([a-zA-Z0-9\_]+)IP\s)|(?:Username = ([a-zA-Z0-9\_]+))

          address-regex IP (?:<([A-F0-9a-f:.]+)Address\s)|(?:IP = ([A-F0-9a-f:.]+))

        }

      }

      "Juniper SA Net Connect v1.0.0" {

        regex-identifier {

          event-regex Session\ started

          username-regex (?:\]|\,)\s([a-zA-Z0-9\_]+)

          address-regex IP ([A-F0-9a-f:.]+)

        }

      }

      "Juniper IC v1.0.0" {

        regex-identifier {

          event-regex Login\ succeeded

          username-regex user=([a-zA-Z0-9\_]+)

          address-regex src=([A-F0-9a-f:.]+)

        }

      }

      "Unix PAM Authentication" {

        regex-identifier {

          event-regex (Accepted\spassword\s){1}

          username-regex password\sfor\s([a-zA-Z0-9\._]+)\sfrom

          address-regex ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s

        }

      }

      "Squid Web Proxy Authentication" {

        regex-identifier {

          event-regex (TCP_HIT|TCP_MEM|TCP_MISS|TCP_NC_MISS){1}

          username-regex \/\s([a-zA-Z0-9\._]+)\s

          address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\sTCP

        }

      }

      "SSH Authentication" {

        regex-identifier {

          event-regex (sshd.*Accepted)

          username-regex for\s([A-Za-z0_9]+)

          address-regex ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s

        }

      }

      "BlueCoat Proxy SG Proxy Log" {

        regex-identifier {

          event-regex (\-\sPROXIED){1}

          username-regex \s[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\s([a-zA-Z0-9\_]+)\s\-

          address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\s[a-zA-Z0-9\_]+\s\-

        }

      }

      "BlueCoat Squid Web Proxy Authentication" {

        regex-identifier {

          event-regex (TCP_HIT|TCP_MEM|TCP_MISS|TCP_NC_MISS){1}

          username-regex \s([a-zA-Z0-9\._]+)\s\-\/

          address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\sTCP

        }

      }

      "BlueCoat Log Main Format Proxy Authentication" {

        regex-identifier {

          event-regex (TCP_HIT|TCP_MEM|TCP_MISS|TCP_NC_MISS){1}

          username-regex \s\-\s([a-zA-Z0-9\_]+)\s\-\s

          address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\s

        }

      }

}

 

owner: dmaynard



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgYCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language