How to Locate Predefined Syslog Filters in PAN-OS
Resolution
PAN-OS 6.0
Details
In PAN-OS-6.0, predefined syslog filters is included from version 418 of the delivered Applications and Threats Content. The example screenshot below displays the Device > Dynamic Updates page on the web UI, and shows that version 418 of the contents distribution is currently installed:
Palo Alto Networks provides several pre-defined syslog filters and are delivered as application content (which can be scheduled to update dynamically). The pre-defined filters are global to the firewall, whereas manually defined filters apply to a single virtual system only.
Note: The User-ID Agent currently does not have the predefined filters and would need to be manually added.
Steps
Locate the predefined syslog filters with the steps below:
- Log into the web UI
- Go to Device > User Identification > User Mapping
- Edit the Palo Alto Networks User-ID Agent Setup section
- On the pop-up window that appears, go to the Syslog Filters tab
The predefined syslog filters shown in the above screenshot are provided below. Note that the code should not be copied and pasted as xml configuration.
syslog-parse-profile {
"Citrix Access Gateway v1.0.0" {
regex-identifier {
event-regex SSLVPN\ LOGIN
username-regex User ([a-zA-Z0-9\_]+)
address-regex Nat_ip ([A-F0-9a-f:.]+)
}
}
"Aerohive AP v1.0.0" {
regex-identifier {
event-regex auth\:
username-regex username ([a-zA-Z0-9\_]+)
address-regex ip ([A-F0-9a-f:.]+)
}
}
"Cisco ASA IPSec v1.0.0" {
regex-identifier {
event-regex Group <|=
username-regex (?:User <([a-zA-Z0-9\_]+)IP\s)|(?:Username = ([a-zA-Z0-9\_]+))
address-regex IP (?:<([A-F0-9a-f:.]+)Address\s)|(?:IP = ([A-F0-9a-f:.]+))
}
}
"Cisco ASA Any Connect v1.0.0" {
regex-identifier {
event-regex Group <|=
username-regex (?:User <([a-zA-Z0-9\_]+)IP\s)|(?:Username = ([a-zA-Z0-9\_]+))
address-regex IP (?:<([A-F0-9a-f:.]+)Address\s)|(?:IP = ([A-F0-9a-f:.]+))
}
}
"Juniper SA Net Connect v1.0.0" {
regex-identifier {
event-regex Session\ started
username-regex (?:\]|\,)\s([a-zA-Z0-9\_]+)
address-regex IP ([A-F0-9a-f:.]+)
}
}
"Juniper IC v1.0.0" {
regex-identifier {
event-regex Login\ succeeded
username-regex user=([a-zA-Z0-9\_]+)
address-regex src=([A-F0-9a-f:.]+)
}
}
"Unix PAM Authentication" {
regex-identifier {
event-regex (Accepted\spassword\s){1}
username-regex password\sfor\s([a-zA-Z0-9\._]+)\sfrom
address-regex ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s
}
}
"Squid Web Proxy Authentication" {
regex-identifier {
event-regex (TCP_HIT|TCP_MEM|TCP_MISS|TCP_NC_MISS){1}
username-regex \/\s([a-zA-Z0-9\._]+)\s
address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\sTCP
}
}
"SSH Authentication" {
regex-identifier {
event-regex (sshd.*Accepted)
username-regex for\s([A-Za-z0_9]+)
address-regex ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s
}
}
"BlueCoat Proxy SG Proxy Log" {
regex-identifier {
event-regex (\-\sPROXIED){1}
username-regex \s[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\s([a-zA-Z0-9\_]+)\s\-
address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\s[a-zA-Z0-9\_]+\s\-
}
}
"BlueCoat Squid Web Proxy Authentication" {
regex-identifier {
event-regex (TCP_HIT|TCP_MEM|TCP_MISS|TCP_NC_MISS){1}
username-regex \s([a-zA-Z0-9\._]+)\s\-\/
address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\sTCP
}
}
"BlueCoat Log Main Format Proxy Authentication" {
regex-identifier {
event-regex (TCP_HIT|TCP_MEM|TCP_MISS|TCP_NC_MISS){1}
username-regex \s\-\s([a-zA-Z0-9\_]+)\s\-\s
address-regex \s((?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:(?:[a-zA-Z0-9]{1,4}\:{1,2}){1,7}[a-zA-Z0-9]{1,4}))\s
}
}
}
owner: dmaynard