topic Re: R80.20 Identity Collector Syslog Parser in Firewall and Security Management

R80.20 Identity Collector Syslog Parser

Longson_Ho1 — Fri, 08 Feb 2019 08:27:01 GMT

Hi,

We are doing testing of R80.20 Identity Collector with Syslog Parser feature.

Is there any guide about how to create Syslog Parsers for Ruckus Zone Director (Version: 10.0.1.0 build 61) to get the identity information from login and logout event?

Thank you

Re: R80.20 Identity Collector Syslog Parser

PhoneBoy — Fri, 08 Feb 2019 20:26:47 GMT

It looks the configuration is based on regular expressions.

You'd have to work out what they are based on the specific log entries.

See: Configuring Identity Collector

Re: R80.20 Identity Collector Syslog Parser

Markus_Hauke — Sat, 12 Oct 2019 13:01:11 GMT

Hello,

I have a basic problem in understanding the syslog parsing scenario: I can configure an Identity Source of type syslog requiring an IP address and a port number (514). But: Is this the address of my syslog server containing for example the login data of my RADIUS infrastructure? How can the Collector connect to the syslog server remotely over the standard syslog port to READ messages? So far I thought that syslog is a one way protocol only receiving messages from remote.

Or am I wrong and the Identity Controller will spawn a new syslog server instance on that IP/port and I have to redirect my syslog messages directly to the Identity Controller?

The documentation does not really say anything about setting up the syslog parsing scenario.

Thank you for clarifying and best regards,

Markus

Re: R80.20 Identity Collector Syslog Parser

Jesse — Wed, 13 Nov 2019 16:24:19 GMT

I have successfully created a syslog parser to pull the login and logoff messages from Cisco AnyConnect VPN sessions:

#Create a logging list on the Cisco ASA for the needed messages and send them to the IDC:

(config)# logging list MYLIST message 746012-746013

(config)# logging trap MYLIST

(config)# logging host inside [IP of server running the IDC]

#IDC Parser:

I called it "CiscoACUserId" but the name can be anything you want.

##Logins:

Message Subject: (.+Add\sIP) **Check the box for Regex

Event Type: Login

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

##Logouts:

Click the * (asterisk) to add another message

Message Subject: (.+Delete\sIP) **Check the box for Regex

Event Type: Logout

Delimiter: :

Username Prefix: \sLOCAL\\

Username: (\w+\.*\w*)

Address Prefix: User\smapping\s

Address: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

#IDC Identity Source:

Name: My Cisco ASA hostname

IP Address: My Cisco ASA IP address

Port: 514

Site: MySiteName where the ASA is located

Parser: CiscoACUserId (the one created above)

#Query Pools:

Edit your query pool and check the box for the new syslog Identity Source

#Filters:

If you're filtering things, be sure the IPs and/or usernames you expect to collect from the ASA are not filtered out. Otherwise nothing should be needed here.