How to create regular expressions for syslog user-id mappings

• PANOS-11.1.4-hx
• PA-5250
• Syslog server for ip mappings

User-ID can use syslog messages to populate the user-to-IP mapping of the firewall.  One method for parsing the information from the syslog messages is to use "regular expressions".  The examples that I use should work in most cases.

1. To extract the username and IP address from the syslog message, you need to include part of the message before username that you want to use.  For example, "Username (" appears just before the username, so one regular expression that can be used is:

USERNAME EXAMPLE:
Username\s([A-Za-z0-9\.]+@paloalto\.com

2.  To extract the IP, you need to include part of the message before the IP address that you want to use.  In the syslog message entry below, the ", IP " precedes the IP address.  So one regular expression that can be used is:

IP ADDRESS EXAMPLE:
,\sIP\s([0-9.]+)

SYSLOG MESSAGE ENTRY:
Sep 20 17:57:46.307: %CLIENT_ORCH_LOG: Username (user1@paloalto.com), MAC: 50eb.7120.3730, IP 10.3.181.10 IP address updated, associated to AP (WIL-AP-332) with SSID (Alpha)

3.  Other filters available for use includes the following:

Note: Please be sure to verify the logging format prior to configuring filters to avoid any mapping issues

USERNAME:
[A-Za-z0-9\.]+@paloalto\.com

FILTERS ONLY IPv4:
([0-9.]+)

FILTERS ONLY IPv6:
([A-F0-9a-f]+:[A-F0-9a-f:]+)

FILTERS IPv4 FOLLOWED BY IPv6:
([0-9.]+)\s([A-F0-9a-f]+:[A-F0-9a-f:]+)

FILTERS IPv6 FOLLOWED BY IPv4:
([A-F0-9a-f]+:[A-F0-9a-f:]+)\s([0-9.]+)

FILTERS IPv4 AND IPv6 IN ANY ORDER:
([A-Fa-f0-9:.]+)\s([A-Fa-f0-9:.]+)

SPACE CHARACTER:
\s