This document describes how to configure User-ID Agent to get User-IP mapping from the Cisco Wireless controller.
Shown below is a typical example of a syslog from the wireless controller. The bolded fields is the information that will be extracted from the syslog for a successful User-IP mapping when connecting from the Cisco Wireless controller.
The screenshot below explains how to parse this information and extract the needed details. A Field Identifier is being used instead of Regex
Some versions of Cisco WLC might be sending a slightly different syslog message than the one mentioned above. If your Cisco WLC syslog format looks like the one pasted below (specifically note the highlighted string that holds the IP address of the user) then a different string needs to be configured for the “Address Prefix” value.
Use the string 126.96.36.199.188.8.131.52.5184.108.40.206.1.10.0= in the “Address Prefix” field. See below screenshot for details.
Note that trailing spaces can cause problems in parsing the syslog message. When pasting the text into the “Syslog Parse Profile” window, make sure to delete all spaces at the end of the string.
Note: Make sure the Syslog listener is on the interface that is expected to reach the device. Cisco WLC native Syslog messages do not contain authentication information, so User-ID mappings cannot be derived from them. Cisco WLC generates SNMP Traps that do contain this information. The SNMP Trap must be converted into a Syslog message. To achieve this, please follow document: Cisco WLC - Palo Alto Networks config guide.pdf